Setting up SAML 1.1 for Replicon

SAML is an XML-based standard for exchanging authentication data between a service provider (such as Replicon) and an identity provider. It allows users to employ web browser single sign-on.

If you want to use SAML with Replicon and you aren’t already enrolled with a SAML identity provider, Replicon can provide you with one that you can set up on a server in your network. Follow the procedure given on this topic to set it up.

If you want to use a different identity provider, contact Replicon Support for information on how to configure your provider to work with Replicon.

Replicon also supports SAML 2.0, although we do not host an identity provider for it.

For information on setting up SSO based on an OpenID Connect provider, refer to Setting up single sign-on.

For information on assigning SAML authentication settings to users, refer to Setting up users for single sign-on.

To set up your identity provider and enable SAML in Replicon:

  1. Extract the SAML identity provider files
  2. Set up IIS
  3. Set up the identity provider
  4. Set up Replicon
  5. Create users

Extract the SAML identity provider files

  1. Download the SAMLIdentityProvider.zip file.
  2. Extract the zip file. We recommend extracting to one of these locations:
  • C:\Program Files\Replicon Inc\SAML Identity Provider for 32 bit systems
  • C:\Program Files(x86)\Replicon Inc\SAML Identity Provider for 64 bit systems

Set up IIS

Use your system’s Internet Information Services (IIS) Manager to carry out the following procedures.

Create a new IIS virtual directory pointing to the folder created

In IIS 6.0

Right-click the web site name, and select New > Virtual Directory. In the window that displays, in the Alias field, enter SAML; in the Path field, browse to and select the location of the SAML folder you created. Click Next.

Under Allow the following permissions, ensure Read and Execute permissions are enabled.

In IIS 7.0 and higher

Right-click the web site name, and select Add Virtual Directory. In the window that displays, in the Alias field, enter SAML; in the Physical Path field, browse to and select the location of the SAML folder you created. Click OK.

To assign permissions for the directory, in the Features View, select Handler Mappings. Right-click the ISAPI.dll and select Edit Feature Permissions. In the window that displays, enable Read and Execute permissions. Click OK.

Create an IIS application called SAML

In IIS 6.0

Right-click the SAML directory and select Properties. On the Virtual Directory tab, click the Create button located in the Application settings area. Select OK.

In IIS 7.0

First ensure that  Connect As is set as Application user (pass-through authentication) and that DynamicCompressionModule and StaticCompressionModule are removed from the Modules section. Then, right-click the SAML directory and select Convert to Application, and select OK.

Select authentication settings:

In IIS  6.0:

  1. Right-click the Default.aspx file in the SAML application you created, and select Properties.
  2. On the File Security tab, select Edit…
  3. On the Authentication Methods page that displays, disable anonymous access, and ensure Integrated Windows Authentication is the only option enabled.

In IIS 7.0:

  1. Select the SAML application, select the Content View, right-click the Default.aspx file, select Switch to Features View.
  2. From the Default.aspx Home (Features View), select Authentication.
  3. Right-click each item that displays: enable Windows Authentication, and disable all the other authentication types.
  4. In the left menu, select Application Pools.
  5. Right-click on the application pool that corresponds to your SAML application, and select Advanced Settings.
  6. In the window that displays, find the Managed Pipeline Mode field, and set it to Classic mode.
  7. The application pool should ideally be on the Network Service.

Set up the identity provider

  1. Open the directory to which you extracted SAMLIdentityProvider.zip.
  2. Open the Web.config file in a text editor, such as Notepad.
  3. Find the following line of code:

<add key="ServiceProviderURL" value="https://service.url/path/saml.ashx" />

Modify the line to include your Replicon installation’s URL:

<add key="ServiceProviderURL" value="https://global.replicon.com/!/saml/CompanyKey" />1

  1. Confirm that your SAML server is using official time. Refer to https://www.time.gov/ to set the time.
  2. In the directory to which you extracted SAMLIdentityProvider.zip:
  1. Open the bin sub-directory.
  2. Run Replicon.Security.CertificateGenerator.exe as an administrator.

It will create two new files in that sub-directory: private.pfx and public.cer

Enable SAML authentication in Replicon

  1. Log in to Replicon.
  2. Go to Administration > System and Security > Security Settings.
  3. From the Authentication Providers section, click the Add Authentication Provider link.

An Add Authentication Provider dialog displays.

  1. From the Provider Type drop-down in the dialog that displays, select SAML 1.1.
  2. Complete the two additional fields that display:
  • Target URL

In this field, enter the full server:port number2 for the virtual directory you created. This URL must include the 'target' parameter. It should look something like this:

https://servername:portnumber/SAML?target={0}2

  • Public key

In this field, upload the public.cer file from the bin directory you generated when setting up the identity provider.

  1. Select Save.

Set up employees to use SAML

To set up users:

  1. Log in to Replicon.
  2. Go to Adminstration > Employees and Organization > Users.
  3. Select a user to edit.
  4. From the Authentication Type field, select SSO.

  1. Enter the user’s Windows/NT/AD user name in the Login Name field.
  2. Click Save User Profile.

These users can log in to Replicon at https://servername:portnumber/SAML2.

1 Your CompanyKey is the name of your company (i.e. the name you used when you created your instance, and the name users enter in the Company field on the Replicon login page).

2 The port number can be excluded if you are using port 80.