Configuring WINAP - SSO
Configuring and Activating the Windows Authentication Provider Instance
To add the authentication method
- Log on to Ubisecure Server Management with System Administrator privileges.
- Navigate to the Home → Global Method Settings view.
- Select Add Method…
Complete the Add New Method dialog as shown below
Figure 1. Add new Windows Authentication Provider method
- Modify the new entry "windows.localdomain.1", (adapting it accordingly to your requirements (see Figure 2 below).
If the IP address range of domain users is known, set the Limit Method Visibility to contain the IP address range as a netmask in Dotted Decimal Format. This authentication method will only be presented as an option in a menu to user's coming from an IP address within the range specified. If there are multiple non-contiguous ranges in use, separate the ranges with a whitespace character. (OPTIONAL)
Figure 2. Windows Authentication Provider method configuration, main context view.
Select the Authentication Provider view from the Context Menu (see Figure 3 below)
Figure 3. Windows Authentication Provider method configuration, context view.
Set the Authentication Provider URL to the IIS instance hosting the Windows Authentication Provider, followed by /uapsso/". For example, if the IIS web site is set up on the server hostname.example.com, the application's URL would be
https://hostname/uapsso/login.aspx
. Note that only the hostname part of the domain is used. Internet Explorer will recognize this site as trusted intranet site. If network topology or configuration prevents the use of such an address, the fully qualified domain name may be used. If the fully qualified domain name is used, add the site named to the Trusted Sites list or zone of the users. If the host is not in the Intranet Zone and not on the Trusted Site lists, the user may be prompted to enter credentials manually.If the Authentication Provider URL is not yet known, it can be added or changed later.- Save the changes by clicking the Update button.
In the same view, create an activation file by selecting XML Format from the Activate Authentication Provider –select box, and click the Activate button.Â
NOTE: You may experience some problems with this step due to Windows Domain Password Policy settings. See the WINAP additional information - SSO page for details on configuring ADAM to ignore these settings. This issue has been resolved in UAS version 5.1.3.
- Save the resulting
agents.xml
file. This file must be given in a secure manner to the person installing the Windows Authentication Provider on an IIS Server. - Navigate to Main in the Context Menu.
- Check enabled in the Status section.
- Save the changes by clicking Update.
Create a test application:
- Ensure the windows.localdomain.1 authentication method is enabled for the site.
- Enable the windows.localdomain.1 authentication method for the Application.
- Create a group for all users Authenticated by Windows AP. Select the windows.localdomain.1 authentication method in the group's method tab.
- Add this group to Application's "Allowed To" list.
The process above is explained in detail in WINAP sequence diagram - SSO.
For more information concerning Ubisecure Server Management, please refer to Management user interface - SSO pages.