Setting up SAML for Legacy Server and WebApi

Configuring SAML in Legacy Server

  1. Make sure SSL is enabled for the application in IIS
  2. On the server navigate to the server web.config, typically in C:\Program Files (x86)\AMI\AssetTrack Server
  3. Uncomment system.identityModel and kentor.authServices within the configuration > configSections node
  4. Find the Ami.AuthDetail nodes and comment the AuthType="AssetTrack" node and uncomment the block containing AuthType="SAML", kentor.authServicessystem.identityModel and system.identityModel.services
  5. Replace the domain with your server domain in the entityId and returnUrl properties within kentor.authServices (make sure to keep the path after the domain)
  6. Fill in the entityId, signOnUrl, and logoutUrl properties within kentor.authServices > identityProviders > add with the values provided by your IdP (entityId is the IdP identifier URL)
  7. Download your IdP public certificate and install it to your local certificate store, put the certificate thumbprint into the findValue property in the signingCertificate node
  8. Find and uncomment the system.webServer > modules node
  9. Create a new X509 certificate, add to your server certificate store and put the thumbprint in the findValue property within kentor.authServices > serviceCertificates > add node
  10. Give permission to the AssetTrack app pool to access the private cert of the newly created X509
    1. In certificate manager, right click the certificate and go to All Tasks > Manage Private Keys...
    2. Add IIS AppPool\[AppPoolName] (for server this is typically IIS AppPool\AssetTrack)
    3. You may need to recycle the application pool
  11. Open <path-to-AssetTrack-web>/AuthServices in a browser, this should download an AuthServices metadata file for server
  12. Upload the metadata file to your IdP

Configuring SAML in WebApi

  1. Make sure SSL is enabled for the application in IIS and WebApi web.config
  2. On the server navigate to the server web.config, typically in C:\Program Files (x86)\AMI\AssetTrack 4\Api
  3. Find the Ami.AuthDetail nodes and comment the AuthType="AssetTrack" node and uncomment the block containing AuthType="SAML"
  4. Replace the domain with your server domain in the ServiceProviderBaseUri property within AuthDetail > SAMLDetail (make sure to keep the path after the domain)
  5. Fill in the IdentityProviderId, SingleSignOnServiceUrl, and SingleSignOutServiceUrl properties within AuthDetail > SAMLDetail with the values provided by your IdP
  6. Download your IdP public certificate and install it to your local certificate store, put the certificate thumbprint into the FindValue property in the SigningCert node
  7. Create a new X509 certificate, add to your server certificate store and put the thumbprint in the FindValue property within the SAMLDetail > ServiceCert node
  8. Give permission to the AssetTrack app pool to access the private cert of the newly created X509
    1. In certificate manager, right click the certificate and go to All Tasks > Manage Private Keys...
    2. Add IIS AppPool\[AppPoolName] (for webapi this is typically IIS AppPool\ATApi)
    3. You may need to recycle the application pool
  9. Open <path-to-webapi-web>/AuthServices in a browser, this should download an AuthServices metadata file for webapi
  10. Upload the metadata file to your IdP
Have more questions? Submit a request

Comments

Please sign in to leave a comment.