Configuring Workspaces (BridgeIT) and Web Access to use Identity Server Logon Policy

Version 28

    Verified Product Versions

    Service Desk 2016.xService Desk 2017.x



    Almost every application today interacts with the data and resources that need and should be protected. In most situations secure authentication and authorization is the essential requirement.


    In the past and still nowadays, the solution to that issue was explicit login (user and password) and Windows Authentication but this is changing rapidly as we are moving to the distributed and mobile application areas. Passwords then have become an anti-pattern and single sign-on, security token services and federation are the widespread technologies to obtain seamless security experience for the users.


    Identity Server


    Starting from Service Desk 2016.4 you can use newly added feature, Identity Server logon policy.


    Identity Server is a Secure Token Service that brings OAuth2 and OpenID Connect Tokens. It behaves as a login authorization service. Single sign on and federated authentication can be utilized using this service. End Users obtain authorization to access resources via authentication redirection. Using secret exchange, user clients obtain access tokens needed to use Workspaces and Web Access.


    When users first access Workspaces or Web Access, they are redirected to authenticate using Identity Server. Once authenticated, they are logged in and no longer need to authenticate for either Workspaces or Web Access until a configurable number of days has passed. Users can choose to authenticate either using an explicit logon or using Windows authentication.


    Please check the below resources to better understand the Identity Server, OAuth2 and OpenID technologies.


    How Identity Server Works (source: Welcome to IdentityServer4 — IdentityServer4 1.0.0 documentation )


    When an enterprise user or an external application tries to access content stored on a company’s web server, the policy agent intercepts the request and directs it to Identity Server. Identity Server asks the user to present credentials such as a username and password. If the credentials match those stored in the central Directory Server, Identity Server verifies that the user is who he says he is. Next, Identity Server evaluates the policies associated with the user’s identity, and then determines whether the user is allowed to view the requested information.

    Finally, Identity Server either grants or denies the user access to the information. The below figure illustrates one way Identity Server can be configured to act as the gatekeeper to a company’s information resources.



                                           Pic.1. Identity Server as the gatekeeper


    Identity Server consolidates four major features into a single product that can be viewed in a single administration console:



    Identity Administration

    Access Management

    Service Management

    Federation Management


    General Overview - An Introduction to OAuth 2



    Abstract Process Flow (source:




               Pic.2. Abstract Process Flow



    1.    The application requests authorization to access service resources from the user

    2.    If the user authorized the request, the application receives an authorization grant

    3.    The application requests an access token from the authorization server (API) by presenting authentication of its own identity, and the authorization grant

    4.    If the application identity is authenticated and the authorization grant is valid, the authorization server (API) issues an access token to the application. Authorization is complete.

    5.    The application requests the resource from the resource server (API) and presents the access token for authentication

    6.    If the access token is valid, the resource server (API) serves the resource to the application


    The actual flow of this process will differ depending on the authorization grant type in use, but this is the general idea.


    OAuth 2 and OpenID - Additional Sources


    OpenID Foundation website


    OpenID - Wikipedia


    ClientID and Secret Server


    1. OAuth requires a ClientID and a Server Secret from clients.

    2. Configuration Center only allows the configuration of the Server Secret

    3. If you make change in tps.config, it will be overwritten with the next change in Configuration Center

    4. Service Desk will add additional - non - OAuth compliant - URL  parts into Server URL. This makes impossible to connect to any other OAuth service (e.g. Google)


    Identity Server Configuration (Configuration Center)


    In order to use Identity Server logon policy, you need to have Identity Server application.


    To configure Identity Server, edit the application. The Identity Server Secret must be generated and then used for other applications (Framework, Web Access, BridgeIT). When Identity Server application is being installed in Configuration Center, the Identity Server Secret is being generated automatically. Please make sure that every application is being updated by the Identity Server Secret and it is the same for every application (Framework, Web Access, BridgeIT)  as in the Identity Server application if you want to use this logon policy.


    To allow Explicit and Integrated Logins, set Allow Explicit Logins to True and Allow Windows Logins to True.


    Identity Server Application Configuration.png


    Pic.3. Identity Server Configuration

    User Consent Expiration - Days.png


    Pic.4. Identity Server Configuration - User Consent Description (Days) - after selected time user will receive the confirmation window as on Pic. 12


    Framework - Identity Server Logon Policy.png


    Pic.5. Framework Configuration to use Identity Server logon policy


    BridgeIT - Identity Server Logon Policy.png


    Pic.6. BridgeIT (Workspaces) Configuration to use Identity Server logon policy also with Integrated Logins


    Web Access - Identity Server Logon Policy.png


    Pic.7. Web Access Configuration to use Identity Server logon policy also with Integrated Logins



    Authentication Configuration in IIS


    Identity Server application - IIS.png


    Pic.8. Identity Server application - authentication - IIS


    Framework application - IIS.png


    Pic.9. Framework application - authentication - IIS


    BridgeIT application - IIS.png


    Pic.10. BridgeIT application - authentication - IIS


    Web Access application - IIS.png


    Pic. 11. Web Access application - authentication - IIS


    Logging into BridgeIT


    Logging in - BridgeIT.png


    Pic.12. Logging into BridgeIT with Identity Server logon policy - authorization page


    When logging to BridgeIT, unfortunately, currently with Identity Server configuration, Sing out button is not available. In this case, closing the browser ends the session.


    End User - BridgeIT.png


    Pic.13. Missing sign out button



    Logging into Self Service



    Self Service Permission Window.png


    Pic.14. Logging into Web Access (Self Service) with Identity Server logon policy - authorization page


    Logigng Into Self Service.png


    Pic.15. Logging into Web Access (Self Service) with Identity Server logon policy


    Self Service - In.png


    Pic. 16. End User using Self Service with Identity Server logon policy


    Self Service Logout Page.png


    Pic. 17. Logout page - Self Service with Identity Server logon policy



    User configuration in Console


    End User - Console.png


    Pic. 18. End User configuration in Console (make sure that the user has Network Login added for Identity Logon Policy to be used). After first login the token is being created (as on the above screenshot).


    Issues logging into the Workspaces/Self Service


    If you are experiencing the below issue in Workspaces or Web Access (Self Service), please refer to the article Integrated Login into Web Access or BridgeIT failes via Identity Server in SD 2016.4 . Please also check if Framework, BridgeIT and Web Access applications are properly configured and if the user has the network login added. Please also make sure that the Framework is also configured to use Identity Sever logon policy. Please also check the authentication settings in IIS to set them as in Authentication Configuration in IIS section



    Pic. 19. Error Logging into Workspaces