Requirements
See the requirements for the AD SAML IdP before continuing.
Introduction
If your organization doesn't use Active Directory Federation Services, HelloID offers a simple, free alternative IdP that runs on an IIS web server in your local domain. It provides automatic, pass-through SAML authentication to all workstations logged in to the domain via Windows Authentication.
While using the HelloID Active Directory IdP, the HelloID Agent provides an alternative login method for users and devices outside the domain, while continuing to perform its normal synchronization tasks.
Install and Configure IIS
The HelloID Active Directory IdP requires an IIS web server to be configured and available to all client machines that will use it for authentication.
In this guide, the complete process for the installation of the Web Server Role is described. If you already have an IIS server set up, you may verify its installed features against those described in this section, and then move on to the installation of the IdP.
- Open Server Manager.
- Under the Manage menu, select Add Roles and Features.
- The Add Roles and Features Wizard will open. At Before You Begin, click Next.
- At Installation Type, select Role-based or feature-based installation and click Next.
- At Server Selection, click Select a server from the server pool, then select the server pool containing the server on which you want to install IIS, and click Next.
- At Server Roles, select Web Server (IIS) and click Next.
- The Add features that are required for Web Server (IIS)? screen will open, verify that Include management tools (if applicable) is selected and click Add Features.
- The previous windows will close. Verify that Web Server (IIS) is checked and click Next.
- At Features, click Next.
- At Web Server Role (IIS), click Next.
- At Role Services, verify that the following Role services are selected, and then click Next. The Role Services below in bold are not selected by default, and must be selected manually.
- Common HTTP Features
- Default Document
- Directory Browsing
- HTTP Errors
- Static Content
- Health and Diagnostics
- HTTP Logging
- Performance
- Static Content Compression
- Security
- Request Filtering
- Windows Authentication (not selected by default)
- Application Development
- .NET Extensibility 4.5 (not selected by default)
- NET 4.5 (not selected by default)
- ISAPI Extensions (not selected by default)
- ISAPI Filters (not selected by default)
- Management Tools
- IIS Management Console
- Common HTTP Features
- At Confirmation, click Install to begin the installation of IIS.
Install the Active Directory Identity Provider
Download and Extract the Identity Provider Files
- On the HelloID Administrator Dashboard, navigate to Security > Authentication > Identity Providers.
- In the Identity Provider Downloads section, download the Active Directory Identity Provider. This will begin a download of a ZIP file.
- Open the ADIDP.zip file and extract its contents to a folder on the IIS server. We recommend creating a new folder for this purpose, such as C:\Identity Providers\adidp\.
Create an IIS Application
- Launch the IIS Manager console.
- Right click on a website (e.g., Default Web Site) and select Add Application...
- Enter the following settings and click OK.
- Alias: Use a recognizable alias for application. For example, "adidp".
- Physical Path: Enter the path of the folder containing the contents of the ADIDP zip file.
Configure IIS Authentication and SSL
- Select the IIS website that is hosting the AD IdP application (Default Web Site in this example).
- Double click on Authentication.
- Disable Anonymous Authentication and Enable Windows Authentication.
- Right click on the website and select Edit Bindings...
- Click Add.
- Configure the Add Site Binding dialog and click OK.
- Type: https
- Port: 443
- Host name: Enter the host name by which the IIS website will be accessed. Make note of this for later use.
- SSL Certificate: Select the SSL certificate you wish to use to encrypt this website's traffic.
- Close the Site Bindings dialog.
Note: Ensure that the certificate has a Subject Alternative Name. Without one, you may get certificate errors.
Create or Import a Certificate in HelloID
Communication between the Identity Provider and HelloID must be encrypted. To do this, we can either import a certificate into HelloID, or create a self-signed certificate. For this example, we will create a self-signed certificate.
- On the HelloID Administrator Dashboard, navigate to Settings > Certificates.
- Click Create Self-Signed Certificate.
- Enter the fields for the new certificate and press Save to continue. Learn more about creating and using certificates here.
- Click the Details link of the new certificate.
- In the Download Certificate section, configure the following items:
- Download As: Personal Information Exchange (.PFX)
- Secure it with a Password: Enter a password that will be used to secure this certificate. Make note of this password for later use.
- Click the Download button.
- Copy the downloaded certificate to the IIS server in a new folder (e.g., C:\HelloID Certificates).
Add the Identity Provider to HelloID
- On the HelloID Administrator Dashboard, navigate to Security > Authentication > Identity Providers.
- Click Create Provider.
- Find the Active Directory - SAML Identity Provider, and click the Add button next to it.
- On the Portal Information tab, you have a handful of configuration options. View a complete configuration reference here.
- Make note of the Consumer URL value, as you will need it later. You may also enable Just-In-Time Provisioning (recommended).
- Set the other options as desired.
- Click Next to go to the Configuration tab.
- The Configuration tab lets you specify the details of your IIS IdP. Configure the following required settings and click Next. You may configure other optional settings as desired.
- Issuer: This will be set in by the template.
- IMPORTANT: Verify that the URL ends with a forward slash.
- Login URL: Enter the URL of the IIS website's AD IdP application.
- Request Certificate: Select the certificate that you created or imported in HelloID.
- Issuer: This will be set in by the template.
- The Client Restrictions tab will allow you to show or hide this IdP from the login screen based on IP or source restrictions. For example, because the IIS web server must be accessible to client machines, you may only want to show this IdP if the clients are coming from your organization's own IP address. Configure this tab as you see fit and click Save. View more information about client restrictions here.
Configure the IIS Application
- Open the IIS Manager console.
- Select the AD IdP application, and then double click Application Settings.
- Fill in the following fields:
- CertificatePath: The file path of the certificate on the IIS server.
- CertificatePwd: The password that you create for the certificate.
- ConsumerURL: The Consumer URL value from the IdP Portal Information page in HelloID.
- TargetURL: The URL of your HelloID Portal.
Test the Configuration
The configuration is now finished and may be tested on a computer that has access to both the IIS server hosting the Active Directory IdP, as well as HelloID.
Launch a browser that supports integrated authentication (e.g., Internet Explorer or Chrome) and navigate to your HelloID portal's login page. You should now see a new login option for the Active Directory IdP, as shown below.
Click on the Active Directory - SAML login option. There will be a brief redirect, and you will be routed to the HelloID user dashboard, logged in as the Windows user. The name of the user will be displayed in the upper-right corner of the HelloID Dashboard.