Configuring Workspaces (BridgeIT) and Web Access to use Identity Server Logon Policy

Version 28

    Verified Product Versions

    Service Desk 2016.xService Desk 2017.x

    Introduction

     

    Almost every application today interacts with the data and resources that need and should be protected. In most situations secure authentication and authorization is the essential requirement.

     

    In the past and still nowadays, the solution to that issue was explicit login (user and password) and Windows Authentication but this is changing rapidly as we are moving to the distributed and mobile application areas. Passwords then have become an anti-pattern and single sign-on, security token services and federation are the widespread technologies to obtain seamless security experience for the users.

     

    Identity Server

     

    Starting from Service Desk 2016.4 you can use newly added feature, Identity Server logon policy.

     

    Identity Server is a Secure Token Service that brings OAuth2 and OpenID Connect Tokens. It behaves as a login authorization service. Single sign on and federated authentication can be utilized using this service. End Users obtain authorization to access resources via authentication redirection. Using secret exchange, user clients obtain access tokens needed to use Workspaces and Web Access.

     

    When users first access Workspaces or Web Access, they are redirected to authenticate using Identity Server. Once authenticated, they are logged in and no longer need to authenticate for either Workspaces or Web Access until a configurable number of days has passed. Users can choose to authenticate either using an explicit logon or using Windows authentication.

     

    Please check the below resources to better understand the Identity Server, OAuth2 and OpenID technologies.

     

    How Identity Server Works (source: Welcome to IdentityServer4 — IdentityServer4 1.0.0 documentation )

     

    When an enterprise user or an external application tries to access content stored on a company’s web server, the policy agent intercepts the request and directs it to Identity Server. Identity Server asks the user to present credentials such as a username and password. If the credentials match those stored in the central Directory Server, Identity Server verifies that the user is who he says he is. Next, Identity Server evaluates the policies associated with the user’s identity, and then determines whether the user is allowed to view the requested information.

    Finally, Identity Server either grants or denies the user access to the information. The below figure illustrates one way Identity Server can be configured to act as the gatekeeper to a company’s information resources.

     

    overview.gif

                                           Pic.1. Identity Server as the gatekeeper

     

    Identity Server consolidates four major features into a single product that can be viewed in a single administration console:

     

     

    Identity Administration

    Access Management

    Service Management

    Federation Management

     

    General Overview - An Introduction to OAuth 2

     

     

    Abstract Process Flow (source: https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2).

     

     

       abstract_flow.png

               Pic.2. Abstract Process Flow

     

     

    1.    The application requests authorization to access service resources from the user

    2.    If the user authorized the request, the application receives an authorization grant

    3.    The application requests an access token from the authorization server (API) by presenting authentication of its own identity, and the authorization grant

    4.    If the application identity is authenticated and the authorization grant is valid, the authorization server (API) issues an access token to the application. Authorization is complete.

    5.    The application requests the resource from the resource server (API) and presents the access token for authentication

    6.    If the access token is valid, the resource server (API) serves the resource to the application

     

    The actual flow of this process will differ depending on the authorization grant type in use, but this is the general idea.

     

    OAuth 2 and OpenID - Additional Sources

    https://oauth.net/2/

     

    OpenID Foundation website

     

    OpenID - Wikipedia

     

    ClientID and Secret Server

     

    1. OAuth requires a ClientID and a Server Secret from clients.

    2. Configuration Center only allows the configuration of the Server Secret

    3. If you make change in tps.config, it will be overwritten with the next change in Configuration Center

    4. Service Desk will add additional - non - OAuth compliant - URL  parts into Server URL. This makes impossible to connect to any other OAuth service (e.g. Google)

     

    Identity Server Configuration (Configuration Center)

     

    In order to use Identity Server logon policy, you need to have Identity Server application.

     

    To configure Identity Server, edit the application. The Identity Server Secret must be generated and then used for other applications (Framework, Web Access, BridgeIT). When Identity Server application is being installed in Configuration Center, the Identity Server Secret is being generated automatically. Please make sure that every application is being updated by the Identity Server Secret and it is the same for every application (Framework, Web Access, BridgeIT)  as in the Identity Server application if you want to use this logon policy.

     

    To allow Explicit and Integrated Logins, set Allow Explicit Logins to True and Allow Windows Logins to True.

     

    Identity Server Application Configuration.png

     

    Pic.3. Identity Server Configuration

    User Consent Expiration - Days.png

     

    Pic.4. Identity Server Configuration - User Consent Description (Days) - after selected time user will receive the confirmation window as on Pic. 12

     

    Framework - Identity Server Logon Policy.png

     

    Pic.5. Framework Configuration to use Identity Server logon policy

     

    BridgeIT - Identity Server Logon Policy.png

     

    Pic.6. BridgeIT (Workspaces) Configuration to use Identity Server logon policy also with Integrated Logins

     

    Web Access - Identity Server Logon Policy.png

     

    Pic.7. Web Access Configuration to use Identity Server logon policy also with Integrated Logins

     

     

    Authentication Configuration in IIS

     

    Identity Server application - IIS.png

     

    Pic.8. Identity Server application - authentication - IIS

     

    Framework application - IIS.png

     

    Pic.9. Framework application - authentication - IIS

     

    BridgeIT application - IIS.png

     

    Pic.10. BridgeIT application - authentication - IIS

     

    Web Access application - IIS.png

     

    Pic. 11. Web Access application - authentication - IIS

     

    Logging into BridgeIT

     

    Logging in - BridgeIT.png

     

    Pic.12. Logging into BridgeIT with Identity Server logon policy - authorization page

     

    When logging to BridgeIT, unfortunately, currently with Identity Server configuration, Sing out button is not available. In this case, closing the browser ends the session.

     

    End User - BridgeIT.png

     

    Pic.13. Missing sign out button

     

     

    Logging into Self Service

     

     

    Self Service Permission Window.png

     

    Pic.14. Logging into Web Access (Self Service) with Identity Server logon policy - authorization page

     

    Logigng Into Self Service.png

     

    Pic.15. Logging into Web Access (Self Service) with Identity Server logon policy

     

    Self Service - In.png

     

    Pic. 16. End User using Self Service with Identity Server logon policy

     

    Self Service Logout Page.png

     

    Pic. 17. Logout page - Self Service with Identity Server logon policy

     

     

    User configuration in Console

     

    End User - Console.png

     

    Pic. 18. End User configuration in Console (make sure that the user has Network Login added for Identity Logon Policy to be used). After first login the token is being created (as on the above screenshot).

     

    Issues logging into the Workspaces/Self Service

     

    If you are experiencing the below issue in Workspaces or Web Access (Self Service), please refer to the article Integrated Login into Web Access or BridgeIT failes via Identity Server in SD 2016.4 . Please also check if Framework, BridgeIT and Web Access applications are properly configured and if the user has the network login added. Please also make sure that the Framework is also configured to use Identity Sever logon policy. Please also check the authentication settings in IIS to set them as in Authentication Configuration in IIS section

     

    Error_BridgeIT.png

    Pic. 19. Error Logging into Workspaces