Configure Cora SeQuence for SAML 2.0 SSO with OAuth 2.0 for Service-to-Service

v8.4 and later

Overview

Learn how to configure Cora SeQuence Administration site and Flowtime Portal to allow service-to-service requests for Web Service Listeners and OData services.

When you configure Cora SeQuence Administration or Flowtime Portal using OAuth, all user authentication is executed using SSO (see Configuring Sequence to use SAML protocol and WS-Federation ). You cannot use Windows authentication or Forms authentication. If you apply this configuration to an existing environment you might need to update existing code and any other applications that access Web Service Listeners and OData.

Introduction

Cora SeQuence can authenticate a request to Web Service Listener or an OData endpoint using OAuth bearer token that is sent by the client in the Authorization Header of an HTTP request.  . The token should be acquired by the client prior to a calling to Cora SeQuence and it is the clients responsibility keeping the token secure.

All requests to [Sequence URL]/SequenceServices are inspected for a bearer token. If a bearer token is found, the token is validated. If the token is valid, the identity supplied by the token will be processed by Cora SeQuence authentication, and if the identity is an existing Cora SeQuence user, execution will continue with that user.

If the identity supplied by the token does not match any Cora SeQuence user, a 401 HTTP Response is sent to the caller.

Requests sent to URLs other the SequenceServices will not be inspected for a bearer token and will pass through a Single Sign-On flow (read the Single Sign-On article for more information). You can apply the same settings as on SequenceServices to other locations under the web application using the <location /> element in the web.config file.

Supported Scenarios

Prerequisites

  • Configure SSO using SAML or WS-Federation to allow users’s authentication.
  • Have a configured Identity Provider that can issue bearer tokens to the client and have Cora SeQuence is registered as a Service Provider (Relying Party).

How to Configure

IIS Configuration

In order to allow authentication using a bearer token in Cora SeQuence the following should be configured in IIS

For Administration Web Application and Flowtime Portal:

  • Make sure only anonymous authentication is set.
  • Configure Default.aspx file as the default document for the root of the web application

web.config

The following sections of the web.config file should be modified

  • configSections
  • sequence.engine/authentication (root location)
  • sequence.engine/identity (root location)
  • sequence.engine (SequenceServices location)
  • system.webServer/modules
  • system.serviceModel (Administration Only)
  • system.serviceModel (Flowtime Portal Only)
  • system.identityModel

configSections

Under the configSections you need to add the identity as a sectionGroup and as sections under it the oauth and in this document will also add the saml section to demonstrate fully functional identity and authentication configuration.

<configuration>
...
<configSections>
 ... <sectionGroup name="sequence.engine" type="PNMsoft.Sequence.Configuration.WorkflowEngineConfigurationSectionGroup, PNMsoft.Sequence, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1">
 ... <sectionGroup name="identity" type="PNMsoft.Sequence.Configuration.IdentityConfiguration,PNMsoft.Sequence.IdentityModel.v8, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1">
 <section name="saml" type="PNMsoft.Sequence.IdentityModel.Configuration.SamlConfigurationSection, PNMsoft.Sequence.IdentityModel.Saml2, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" />
 <section name="oauth" type="PNMsoft.Sequence.IdentityModel.Configuration.OAuthConfigurationSection, PNMsoft.Sequence.IdentityModel.OAuth, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" />
 </sectionGroup>
 ... </sectionGroup>
 ... <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
 <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
 ... 
</configSections>
...
</configuration>

sequence.engine/authentication (root location)

<configuration>
... <sequence.engine>
 ... <authentication impersonate="true">
 <providers>
 <add type="PNMsoft.Sequence.Security.ClaimsIdentityAuthenticationProvider, PNMsoft.Sequence.IdentityModel.v8, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" />
 </providers>
 <forms enabled="false" />
 <claims enabled="true" ssoEnabled="true" signoutFromSts="false" loginUrl="~/AuthServices/Signin" logoutUrl="~/Logoff.aspx" accessDeniedUrl="~/ClaimsAccessDenied.aspx">
 <IdentityProviders>
 </IdentityProviders>
 <IdentityClaims>
 <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" originalIssuer="https://sts.windows.net/6eb6d1db-77bd-43a0-96a6-0423ab52be6f/" authenticationType="http://pnmsoft.com/sequence/2008/03/authentication/types/email" />
 </IdentityClaims>
 </claims>
 </authentication>
 ...
</sequence.engine>
...
</configuration>

sequence.engine/identity (root location)

<configuration>
 ... <sequence.engine>
 ... <identity>
 <saml enabled="true">
 <serviceProvider name="https://odedpc.pnmsoftlabs.com/admin"
 description="Oded PC Administration"
 assertionConsumerServiceUrl="/AuthServices/acs"
 localCertificateFile="Certificates\ServiceProviderCertificate.pfx"
 localCertificatePassword="password" />
 <partnerIdentityProviders>
 <add name="https://sts.windows.net/6eb6d1db-77bd-43a0-96a6-0423ab52be6f/"
 description="Azure"
 wantSAMLResponseSigned="false"
 wantAssertionSigned="true"
 signAuthnRequest ="true"
 singleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 singleSignOnServiceUrl="https://login.microsoftonline.com/6eb6d1db-77bd-43a0-96a6-0423ab52be6f/saml2"
 singleLogoutServiceUrl="https://login.microsoftonline.com/6eb6d1db-77bd-43a0-96a6-0423ab52be6f/saml2"
 partnerCertificateStoreLocation="LocalMachine"
 partnerCertificateThumbprint ="0aaf6ec6b0a8550a6e6e4c85eb4123888cbec941"/>
 </partnerIdentityProviders>
 </saml>
 <oauth discoveryKind="Store"
 authority="https://login.microsoftonline.com/6eb6d1db-77bd-43a0-96a6-0423ab52be6f/oauth2/token"
 discoveryUri="https://login.microsoftonline.com/6eb6d1db-77bd-43a0-96a6-0423ab52be6f/v2.0/.well-known/openid-configuration"
 enabled="false"
 validAudience="5d747fdc-ce6a-487e-979f-ca6eb6cd7315"
 validIssuer="https://sts.windows.net/6eb6d1db-77bd-43a0-96a6-0423ab52be6f/">
 <identityProviderCertificates>
 <add name="firstCertificate" certificateFindType="FindByThumbprint" certificateFindValue="0aaf6ec6b0a8550a6e6e4c85eb4123888cbec941" certificateLocation="LocalMachine" valid="false" />
 <add name="secondCertificate" certificateFindType="FindByThumbprint" certificateFindValue="d92e120951acf1283d2d2e80a8b22ae83a56fa0f" certificateLocation="LocalMachine" valid="false" />
 <add name="thirdCertificate" certificateFindType="FindByThumbprint" certificateFindValue="cf8e3031d1eef302acba6adb7da2bdf2ac6ce582" certificateLocation="LocalMachine" valid="false"/>
 <add name="fourthCertificate" certificateFindType="FindByThumbprint" certificateFindValue="c78efcc723a996c3351fb35793b4b1d7bc75ba97" certificateLocation="LocalMachine" valid="false"/>
 </identityProviderCertificates>
 </oauth>
 </identity>
 ... </sequence.engine>
 ...
</configuration>

OAuth Configuration Options

Name
Description
Default Value
Required
enabled
When enabled any requests that passes through the BearerTokenAuthenticationModule HttpModule will be inspected, and when a bearer token will be found the module will try to read it and use it to authenticate the user against Cora SeQuence.
True
No
validIssuer
The name of the token issuer. The name will be validated against the token and signing certificate.
N/A
Yes
authority
The OAuth token endpoint.


discoveryKind
The discoveryKind attribute sets how OAuth discover its identity provider’s signing tokens.
OpenIdDiscoveryDocument
Yes
discoveryUri
When the discoveryKind is set to OpenIdDiscoveryDocument or JsonWebKeySet or Federation, this settings is used to locate the document containing the needed information to retrieve the identity provider’s signing keys
Empty String
Yes
validAudience
The audience for which a token is issued to. This value is usually a URI or any unique identifier in a string format.
Empty String
Yes
validateAudience
Indicates whether the audience in the token should be validated against the audience set in this configuration
True
No
validateIssuer
Indicates whether the issuer of the token should be validated against the issuer set in this configuration.
True
No
validateIssuerSigningKey
Indicates whether to validate that the token is signed by the issuer set in this configuration.
False
No
identityProviderCertificates
A collection of configuration elements setting how to locate a certificate in the machine Certificate Store. This element is required only when the discoveryKind is set to ‘Store’
Null
No

discoveryKind options

A token is usually signed by the Identity Provider using a Public Certificate. Cora SeQuence should be able to obtain the Public Certificate in order to validate the Identity Provider’s signature on the token. There are four ways that Cora SeQuence can discover the public certificate:

discoveryKind Attribute
Description
OpenIdDiscoveryDocument
Indicates that the discovery will be done using an OpenIdDiscoveryDocument . When this options is set, the discoveryUri attribute must be set to a Uri that contains this type of document.
JsonWebKeySet
This option is expecting a Uri that returns a JsonWebKeySet result. This settings is a sub setting of the OpenIdDiscoveryDocument.
Federation
This option expect is expecting a Uri that returns a WS-Federation metadata document. When this options is set, the discoveryUri attribute must be set to a Uri that contains this type of document .
Store
This option is used when the certificates are stored on the machines local certificate store. When this option is set the IdentityProviderCertificates element is required.

identityProviderCertificate options

Under this element you configure where and how to retrieve certificates from the local certificate store. This is relevant only when setting Store under the discoveryKind attribte.

Attribute
Description
name
A unique name for each certificate
certificateFindType
This value is based on the System.Security.Cryptography.X509Certificates.X509FindType .
certificateFindValue
This value should contain the actual value that will be used to find the certificate based on the certificateFindType attribute.
certificateLocation
This value is based on the System.Security.Cryptography.X509Certificates.StoreLocation  enum.
valid
Indicates if the certificate can be retrieved even if it is not valid (entire chain can not be validated).

sequence.engine (SequenceServices location)

Under the location of SequenceService you should add the entire <sequence.engine> element and its child elements.

<configuration>
...
<location path="SequenceServices">
 <sequence.engine>
 <authentication>
 <claims enabled="true" signoutFromSts="false" loginUrl="~/AuthServices/Signin" logoutUrl="~/Logoff.aspx" accessDeniedUrl="~/ClaimsAccessDenied.aspx" ssoEnabled="false" />
 </authentication>
 <data.services>
 <handlers>
 <add type="PNMsoft.Sequence.Data.Services.EntityBoundActivityDataServiceRequestHandler, PNMsoft.Sequence.Data.Services, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" />
 </handlers>
 </data.services>
 <identity>
 <oauth enabled="true" />
 </identity>
 </sequence.engine>
 <system.webServer>
 <handlers>
 <remove name="WebServiceListenerHttpHandlerFactory" />
 <add name="WebServiceListenerHttpHandlerFactory" path="*.asmx" type="PNMsoft.Sequence.Web.Services.WebServiceListenerHttpHandlerFactory, PNMsoft.Sequence.Web.Services, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" verb="*" />
 </handlers>
 </system.webServer>
 </location>
...
</configuration>

system.webServer/modules

  • Make sure the modules below are present and ordered as shown. If you already have other modules registered under this element, make sure the new modules are ordered under the existing Cora SeQuence related modules.
  • Verify that the existing SequenceAuthenticationModule element has the preCondition=“managedHandler” attribute set.
<configuration>
 ... <system.webServer>
 ... <modules>
 ... <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
 <add name="oauthBearerAuthenticationModule" type="PNMsoft.Sequence.IdentityModel.Services.BearerTokenAuthenticationModule, PNMsoft.Sequence.IdentityModel.OAuth, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1"/>
 <add name="SamlAuthenticationModule" type="PNMsoft.Sequence.IdentityModel.Services.SamlAuthenticationModule, PNMsoft.Sequence.IdentityModel.Saml2, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" preCondition="managedHandler" />
 ... </modules>
 ... </system.webServer>
 ...
</configuration>

system.serviceModel (Administration Only)

Make sure that the endpoint binding for DataStreamDesignService is configured to use HTTPS. See the following example.

<configuration>
...
<system.serviceModel>
 <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
 <services>
 <service name="PNMsoft.Sequence.DataStreams.Design.DataStreamDesignService">
 <endpoint binding="webHttpBinding" bindingConfiguration="webHttpsBinding" contract="PNMsoft.Sequence.DataStreams.Design.DataStreamDesignService" behaviorConfiguration="DataStreamEndpointBehavior" />
</service>
 </services>
 <bindings>
<webHttpBinding>
 <binding name="webHttpsBinding">
 <security mode="Transport">
<transport clientCredentialType="None" />
 </security>
 </binding>
 </webHttpBinding>
 </bindings>
 <behaviors>
 <endpointBehaviors>
 <behavior name="DataStreamEndpointBehavior">
 <webHttp />
 </behavior>
 </endpointBehaviors>
 </behaviors>
</system.serviceModel>
...
</configuration>

system.serviceModel (Flowtime Portal Only)

Make sure that the endpoint binding is configured to use HTTPS. See the following example.

<configuration>
...
<system.serviceModel>
 <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
 <services>
 <service name="PNMsoft.Sequence.Flowtime.Services.Messages.UserMessagesService">
 <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpsBinding" contract="PNMsoft.Sequence.Flowtime.Services.Messages.IUserMessagesService" />
 </service>
 <service name="PNMsoft.Sequence.Flowtime.Services.Messages.GroupMessagesService">
 <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpsBinding" contract="PNMsoft.Sequence.Flowtime.Services.Messages.IGroupMessagesService" />
 </service>
 <service name="PNMsoft.Sequence.Flowtime.Services.Instances.UserInstancesService">
 <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpsBinding" contract="PNMsoft.Sequence.Flowtime.Services.Instances.IUserInstancesService" />
 </service>
 <service name="PNMsoft.Sequence.Flowtime.Services.Instances.ProcessInstancesService">
 <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpsBinding" contract="PNMsoft.Sequence.Flowtime.Services.Instances.IProcessInstancesService" />
 </service>
 <service name="PNMsoft.Sequence.Flowtime.Services.Instances.SharingInstancesService">
 <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpsBinding" contract="PNMsoft.Sequence.Flowtime.Services.Instances.ISharingInstancesService" />
 </service>
 <service name="PNMsoft.Sequence.Flowtime.Services.Delegation.DelegationService">
 <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpsBinding" contract="PNMsoft.Sequence.Flowtime.Services.Delegation.IDelegationService" />
 </service>
 <service name="PNMsoft.Sequence.Flowtime.Services.Delegators.DelegatorsService">
 <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpsBinding" contract="PNMsoft.Sequence.Flowtime.Services.Delegators.IDelegatorsService" />
 </service>
 <service name="PNMsoft.Sequence.Flowtime.Services.UtilityService">
 <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpsBinding" contract="PNMsoft.Sequence.Flowtime.Services.IUtilityService" />
 </service>
 <service name="PNMsoft.Sequence.HotOperations.Services.HotOperationSolutionsService">
 <endpoint contract="PNMsoft.Sequence.HotOperations.Services.IHotOperationSolutionsService" binding="webHttpBinding" bindingConfiguration="webHttpsBinding" address="" />
 </service>
 </services>
 <bindings>
 <webHttpBinding>
 <binding name="webHttpsBinding">
 <security mode="Transport">
 <transport clientCredentialType="None" />
 </security>
 </binding>
 <binding name="webHttpBinding">
 <security mode="TransportCredentialOnly">
 <transport clientCredentialType="Windows" />
 </security>
 </binding>
 </webHttpBinding>
 </bindings>
</system.serviceModel>
...
</configuration>

system.identityModel

<configuration>
 ... <system.identityModel>
 <identityConfiguration>
 <audienceUris>
 </audienceUris>
 </identityConfiguration>
 </system.identityModel>
 ...
</configuration>
About this Article
  • Created: 01/04/2018 9:44 am EST
  • Last updated: 08/05/2018 3:31 am EDT
In This Article