Configure Claims-Based Authentication

v8.3 and later

Overview

To authenticate users in Sequence using using claims-based authentication, you need to modify the web.config file for each Sequence site (Windows Services are not required).

Prerequisites

  • You must configure all Sequence sites under HTTPS. For more information, see Configure HTTPS for Sequence Sites.
  • Verify that your security token service (STS) supports SAML 2.0, and has a WS-Federation Endpoint.

 Procedure

  1. In IIS, configure the root level authentication for each Sequence site.        
    SettingValue
    Anonymous AuthenticationEnabled
    ASP.NET ImpersonationEnabled
    Windows AuthenticationDisabled
  2. In IIS, for the Default Document, add the Default.aspx file for each Sequence site.
    The Default.aspx file must be the only document.
  3. Add the <system.identityModel> and <system.identityModel.services> sections to the <configSections> section.
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> 
    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
  4. Modify the <authentication> section under the <sequence.engine> section, to match the following example.        
    1. For claimType, use one of the claim types provided by your STS, which you can match with one of the following Sequence employees table.
      1. Domain/User Name
      2. User Name
      3. Email
    2. For authenticationType, use one of the following (depending on your selection from step 5a.       
      1. http://pnmsoft.com/sequence/2008/03/authentication/types/usernameDomain
      2. http://pnmsoft.com/sequence/2008/03/authentication/types/username
      3. http://pnmsoft.com/sequence/2008/03/authentication/types/email

    3. <authentication impersonate="false">
        <providers>
          <add type="PNMsoft.Sequence.Security.ClaimsIdentityAuthenticationProvider, PNMsoft.Sequence.IdentityModel.v8, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" />
        </providers>
        <policies>
          <add type="PNMsoft.Sequence.Security.WSFederationAuthenticationPolicy, PNMsoft.Sequence.IdentityModel.v8, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" />
        </policies>
        <claims enabled="true">
          <IdentityClaims>
            <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" 
      originalIssuer="https://sts.windows.net/yourTenantID/" authenticationType="http://pnmsoft.com/sequence/2008/03/authentication/types/email" />
          </IdentityClaims>
        </claims>
      </authentication>
        
  5. Make sure that you configure the modules for the <system.identityModel> section under <system.webServer><modules>. Add the following section to the web.config file.
    <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
    <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
  6. Add the following under the main  <configuration> node.
    <location path="Authentication/Federation">
             <system.web>		
                    <httpHandlers>		
                           <add verb="GET, POST" path="SignIn.axd" type="PNMsoft.Sequence.IdentityModel.Web.FederationSignInHttpHandler, PNMsoft.Sequence.IdentityModel, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" />		
                   </httpHandlers>		
             </system.web>		
             <system.webServer>		
                   <handlers>		
                           <add name="Authentication" verb="GET, POST" path="Authenticate.axd" type="PNMsoft.Sequence.Web.WSFederationAuthenticationHttpHandler, PNMsoft.Sequence.IdentityModel.v8, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" />		
                   </handlers>		
             </system.webServer>		
    </location>		
    <location path="FederationMetadata">		
             <system.web>		
                    <authorization>		
                           <allow users="*" />		
                    </authorization>		
    </system.web> 
    </location>
  7. Add the following under the <configuration></configuration> section.      
    • For <audienceUris><add value=> use the URL of the Sequence site you are configuring.
    • For <trustedIssuers><add...> use the following information.      
      • <thumbprint> is the thumbprint of your STS token signing certificate. Make sure there are no spaces, there are no coding errors, and that it is plain text.
      • <name> is the value you used for <OriginalIssuer> in step step 5b.
    • For <federationConfiguration><wsFederation>, use the following information.      
      • <issuer> is the sign-in URL of your STS (where users are directed to log in).
      • <realm> and <reply> is the URL of the Sequence site you are configuring.
  8. <system.identityModel>
    	<identityConfiguration>
    		<audienceUris>
    	        	<add value="XXXXX" />
    		</audienceUris>
    		<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
    		         <trustedIssuers>
    		               <add thumbprint="XXXXX" name=" XXXXX " />
    		         </trustedIssuers>
    		</issuerNameRegistry>
    		<certificateValidation certificateValidationMode="None" />
    	</identityConfiguration>
       </system.identityModel>
       <system.identityModel.services>
    	<federationConfiguration>
    		<cookieHandler requireSsl="true" />
    		<wsFederation passiveRedirectEnabled="true" issuer="XXXXX" realm="XXXXX" reply=" XXXXX " requireHttps="true" />
    	</federationConfiguration> 
    </system.identityModel.services>
  9. Under the <system.web> section, replace each of the following sections wherever they exist.
    <authentication mode="None"/>
    <identity impersonate="true" />
    <authorization>
             <deny users="?" />
    </authorization>