System Category	Security
Source	Windows Active Directory
Available since	2014
Organisation

Note

This document has now been superseded by Integrate iShare GIS with ADFS

Overview

If you want to use Windows Active Directory Federation Services (AD FS) version 2.x Web Single Sign-On (AD FS WebSSO) for authenticating users in iShare GIS then the following configuration needs to be performed on the server hosting iShare's Web application. This is typically done if the iShare web server is external to Active Directory network against which users are to be authenticated.

The iShare GIS URL must have been specified as a trusting party in the AD FS configuration (this will be done by the domain system administrator/team).

The iShare web server must be setup to use HTTPS, certificates should be supplied by the network/web/domain team. If running in an on-premises server, Internet Information Services (IIS) should have been configured by them too.

iShare GIS requires that AD FS has been configured to use Group Membership populate a Role Claim:

Claim Type: Role.
Template: Send Group Membership as a Claim
Claim value: corresponds to Group on iShare GIS Web Service server backing an iShare Role, e.g. “StandardUsers” or “ExpertUsers”

Step-by-step guide

What to do on the server running the iShare Web application for iShare GIS

Ensure that the Application Pool used by iShare Web is loading its User Profile (IIS Manager > Application Pools > [app pool name] > Advanced Settings > Process Model > Load User Profile = True)
Set the Default Document for the iShare GIS web application to iShareGIS.aspx (or the name of the page used for iShare GIS)
Install Windows Identity Foundation
Run the Windows Identity Foundation Federation Utility, point it at the iShare Web web.config file and the iShare Web application URL and then at the AD FS federating server's federation metadata URL under "Use an existing STS" (this alters the web.config file, so back it up first).
Add the Certificates snap-in to an Microsoft Management Console (MMC) instance (select Computer Account and Local Computer) and save it somewhere memorable e.g.:

Copy the Root Certification Authority (CA) certificate for the authorizing domain and the certificate to authenticate AD FS request to the server (these will probably have been supplied by a system administrator from the authenticating domain.

See "Obtaining the Root CA certificate via AD CS web page" and "Obtaining certificate via AD CS web page" for an alternative method.

In the Certificates MMC window, expand Certificates (Local Computer) then Trusted Root Certification Authorities and right-click on Certificates and select All Tasks -> Import...

Go through the wizard and pick the Root CA certificate file you have been provided with

If you have downloaded the file from the Active Directory Certificate Services (AD CS) page then it'll probably be called certnew.cer

Finish the wizard leaving all other options on the default setting
In the Certificates MMC window, expand Certificates (Local Computer) then Personal and right-click on Certificates and select All Tasks -> Import...
Go through the wizard and pick the server certificate file you have been provided with

If you have downloaded the file from the Active Directory Certificate Services (AD CS) page then it should have a .pfx extension and be password protected

Finish the wizard leaving all other options on the default setting

Obtaining the Root CA Certificate via AD CS web page

Browse to the /certserv URL on the issuing server, e.g.:

https://url.of.certificate.server/certserv

Click Download a CA certificate, certificate chain, or CRL
Accept any digital certificate operation dialogs and if there's more than one certificate listed, you should have been told which one to pick
Click Download CA certificate and save the resulting certnew.cer to somewhere sensible

Obtaining a Certification via AD CS web page

Once you have imported the Root CA certificate, browse to the /certserv URL on the issuing server, e.g.:

https://url.of.certificate.server/certserv

Click Request a certificate, advanced certificate request and then Create and submit a request to this CA.
Accept any prompts to allow the digital certificate operation
You should have been told which Certificate Template to select at this point (e.g. "iShare Webapp")
Under Identifying Information enter the domain name of the local web application server into the Name field. The other fields in this section can be left blank.
Enter something useful into Friendly Name under Additional Options.
Click Submit
On the following page click Install this certificate

At this point the certificate will have been installed under your user account from which it will need to be exported before continuing with the setup process.

If not already running, load the Certificates MMC console
If not already present, add the Current User certificates snap-in (File->Add/Remove Snap-in...->Certificates->Add > and then select My user account)
Expand Certificates - Current User then Personal and select Certificates
Right-click the certificate with Issued To equal to the value of the Name field in step 4 of the certificate download process above
Select Export...
Go through the wizard: select Yes, export the private key, leave the defaults on Export File Format, enter and confirm a password and then save the file to a sensible local location

Browser not supported