Replicon SAML Identity Provider

  • Obtain the SAMLIdentityProvider.zip file from Replicon Support or download it using the link given at bottom of the page.
  • Extract the zip file. (Recommend Path: C:\Program Files\Replicon Inc\SAML Identity Provider)

Setup IIS 7.0/7.5:

  • Create a new Website or an Application under a website on IIS and name it SAML (suggested name).
  • Point the Website or Application to the path where the SAML files were extracted for example; C:\Program Files\Replicon Inc\SAML\SAML Identity Provider or C:\inetpub\wwwroot\SAML Identity Provider.
  • Convert the Virtual Directory to Application, if you already have a Virtual Directory, by right clicking on it and selecting Convert to Application.
  • Ensure that the Authentication for the SAML site or virtual directory is set to Windows Authentication mode, also disable any other authentication modes.

Setup IIS 6.0:

  • Create a new Website or a Virtual Directory under a website on IIS and name it SAML (any name is allowed).
  • Grant the website or virtual directory Read and Execute permission.
  • Point the Website or Application to the path where the SAML files were extracted eg; C:\Program Files\Replicon Inc\SAML\SAML Identity Provider or C:\inetpub\wwwroot\SAML Identity Provider.
  • Right-click the Default.aspx file in the SAML application you created and select Properties.
  • On the File Security tab, select Edit.
  • On the Authentication Methods page, disable anonymous access, and ensure Integrated Windows Authentication is the only option enabled.

Setup the Identity Provider

  • Open the directory where the SAML files were extracted to.
  • Open the Web.config file in it, using a text editor.
  • Find the following line of code in the file:

    • <add key="ServiceProviderURL"value="http: //service.url/path/saml.ashx" />
  • Modify the line to include your Replicon URL:

    • <add key="ServiceProviderURL"value="http: //na1.replicon.com/YourCompanyName/saml.ashx" />
  • Include the following keys right below the <AppSetting> tag,

    • <add key="AllowedSecondsBeforeIssue" value="30" />
    • <add key="AssertionLifetimeInSeconds" value="60" />
    • These values are in seconds. Change this to a higher value to counter issues where server time lags or lead the UTC time.
  • Save the file.
  • Open the Bin folder.
  • Run the Replicon.Security.CertificateGenerator.exe file.
  • The file generates two new files in the Bin folder as private.pfx and public.cer.

Setting up SAML on Replicon

  • Log into Replicon as an administrator.
  • Select Administration from the top menu.
  • Click on System Preferences under the System section, in the left side menu.
  • Check off the option Enable SAML Authentication, under the Security section.
  • Two additional options will display as follows,

    • SAML public key
    • SAML transfer URL

      • In the SAML public key section, click on (upload), locate the public.cer file from the Bin folder where the SAML files were extracted and upload it.
      • In the SAML transfer URL field, enter the full URL of the SAML virtual directory when setting up the virtual directory on IIS. This URL must include the target parameter which looks similar to the following example,  http: //YourSAMLServerName/SAML?target={0}
  • Select Save.

Change the Authentication Type for users

  • Log into Replicon as an administrator.
  • Select Administration from the top menu.
  • Select Users under the Users/Departments section in the left side menu.
  • Click on the edit  icon beside the user’s name to be edited.
  • The log-in name of the user should match his/her NT/AD username.
  • Under the Access tab, change the Authentication Method to SSO in the Login section.
  • Save the settings.

Note:

  • Users will have to use the following URL to log into Replicon:

    • http: //<YourSAMLComputerName>/SAML
  • Replicon supports SAML 1.1 only.
  • In most cases, users will be automatically logged in to Replicon however; some browsers do not forward Windows credentials automatically, and others can be configured not to forward Windows credentials, so users may be prompted for their user name and password during login, in such situations.

Additional information:

  • After configuring SAML for Replicon, some users may be unable to access Replicon SAML page. This is due to insufficient permission to access the default.aspx page on IIS.      Follow the instructions given below to enable access to this page;
  • Verify if the SAML site or virtual directory is set to Pass-through Authentication.
  • Setup a separate App Pool > Classic & .Net Framework 2.0.
  • The App Pool identity must be set to Network Service.
  • On IIS 7, if it’s a 64-bit server then the App Pool 32-bit mode must be set to True.
  • Ensure that the SAML Server Time matches with the Replicon's Server Time i.e., compare the time difference of the SAML Server with ‘https://www.time.gov’ and ensure that both the time match.
  • Check if the system from which the user is accessing Replicon and the system on which SAML is configured, are on the same domain.

    • The user’s workstation may be in different domains which will necessitate the establishment of trust relationship between the two domains.
    • The server on which SAML is configured may be in a workgroup and not part of the domain.
    • The user who is accessing the SAML URL is logged into the system with his NT/AD login name and the login name matches the one stored in Replicon under his user profile.
  • On IIS 6, check if the Active Server Pages is listed as a Web Server Extension and if it has been granted access.
  • Check if ASP.NET v2.0.50727 or the appropriate version of ASP.NET is listed as a Web Server Extension and if it has been granted access. If the ASP.NET v2.050727 is not listed as a Web Server Extension; follow the instructions given below to add it to the Web Server Extensions list,

    • Select Add a Web Server Extension.
    • Browse to the folder C:\Windows\Microsoft.NET\Framework\v2.0.50727 and locate the file aspnet_isapi.dll and select it.

Attachment:

SAML Identity provider