Solved

Single Sign On Integration(SSO)

Posted on 2014-11-18
9
371 Views
Last Modified: 2015-01-09
I was wondering if someone has some experience on integrating a Single Sign On solution with 3rd party service providers, our company plans to integrate with google apps and silk roads, however as I understand the credentials will be sole stored at our Active Directory Server, I would like to know how will the user manipulate his/her password. Any setup instructions or tips for a smooth integration will be well appreciated.
0
Comment
Question by:jdff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 40452055
You need to install Microsoft ADFS 2.0 \ 3.0 server in your on premise Active Directory and need to publish it on internet

Then your applications need to integrated with ADFS server
In applications, you need to configure ADFS as account provider (Identity Provider)
In ADFS, you need to configure applications as a Relying Party

Also you need to set HomeRealmDiscovery on corporate machines, so that whenever user access application url, it will forward that request to your ADFS server for authentication and ADFS will authenticate user with active directory, ideally it will ask user with logon prompt and user has to enter his AD username and password.

U can add ADFS server URL to intranet zone in IE on all client machines so that user will not be get username \ password prompt and it will pickup user existing logon as windows integrated authentication and user will get SSO experience

If you did not add ADFS server URL to intranet zone, user will initially prompted for username and password and that information will get cached on his machine to get kind of SSO experience

You can check your application manual \ settings on how to establish trust with ADFS

Only thing application must be ADFS aware (Claims aware - SAML 2.0 protocol support) because ADFS works on Claims and SAML protocol.

To configure ADFS on windows server
http://www.gunnalag.com/2014/06/18/step-by-step-guide-for-installing-and-configuring-adfs-3-0-on-windows-server-2012/
U will get MS documentation as well.

Check below URLs wrt Google Apps
http://www.huggill.com/2012/01/12/setting-up-google-apps-single-sign-on-sso-with-adfs-2-0-and-a-custom-sts-such-as-identityserver/
http://itlinkmaine.com/site/2013/07/google-apps-and-active-directory-federation-services/

There are numerous posts available on above topics
0
 
LVL 14

Expert Comment

by:Allen Falcon
ID: 40454005
Before you jump through hoops ... are you looking to integrate SSO yourself or are you looking at a third party solution that would provide a single login screen for both Google Apps and Silk Road HR?
0
 

Author Comment

by:jdff
ID: 40454118
I plan to deploy adfs to integrate silkroad ride away but if there is any 3rd party solution to make things easier or to save time, i would consider it. Not very concerned about google apps at the present time since my project needs to move forward with silk road first.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 37

Expert Comment

by:Mahesh
ID: 40454262
If your application is claims aware (Supports SAML), then its not very hard to setup ADFS,
There is one 3rd party product I am aware.
https://www.okta.com/product/identity-management/single-sign-on.html
But I don't think its required.
0
 
LVL 14

Expert Comment

by:Allen Falcon
ID: 40454386
I would also look at ClearLogin.
0
 

Author Comment

by:jdff
ID: 40463238
Hi Allen,
I did contact Clearlogin and we'll go for a demo now, if anyone has any other suggestions, please let me know. We are also strongly considering to deploy the solution ourselves as Mahesh has detailed.
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40463791
MS has done lots of improvements in Windows 2012 R2 ADFS 3.0 by inserting TWO factor authentication and addition of Web Application Proxy role
This role provides you variety of authentication and application publishing methods and also supports ADFS proxy functionality like previous versions
Check below links
http://technet.microsoft.com/en-in/library/dn584113.aspx
http://technet.microsoft.com/en-in/library/dn383650.aspx

Further more they have released more features as part of Windows Server next version Technical Preview
http://blogs.technet.com/b/applicationproxyblog/archive/2014/10/01/introducing-the-next-version-of-web-application-proxy.aspx
0
 

Author Comment

by:jdff
ID: 40510831
Mahesh,
We have a 2008 STD R2 domain controller, should I deploy a secondary domain controller with Windows 2012 for this purpose?
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40510952
For AD FS to operate successfully, domain controllers in either the account partner organization or the resource partner organization must be running Windows Server 2003 SP1, Windows Server 2003 R2, Windows Server 2008, or Windows Server 2012 / 2012 R2

AD FS does not require schema changes or functional-level modifications to AD DS.

Most AD FS features do not require AD DS functional-level modifications to operate successfully. However, Windows Server 2008 domain functional level or higher is required for client certificate authentication to operate successfully if the certificate is explicitly mapped to a user's account in AD DS.
I don't think this is your case, so any DC with 2003 SP1 and above will work
http://technet.microsoft.com/en-in/library/ff678034.aspx
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question