Almost every application today interacts with the data and resources that need and should be protected. In most situations secure authentication and authorization is the essential requirement.
In the past and still nowadays, the solution to that issue was explicit login (user and password) and Windows Authentication but this is changing rapidly as we are moving to the distributed and mobile application areas. Passwords then have become an anti-pattern and single sign-on, security token services and federation are the widespread technologies to obtain seamless security experience for the users.
Starting from Service Desk 2016.4 you can use newly added feature, Identity Server logon policy.
Identity Server is a Secure Token Service that brings OAuth2 and OpenID Connect Tokens. It behaves as a login authorization service. Single sign on and federated authentication can be utilized using this service. End Users obtain authorization to access resources via authentication redirection. Using secret exchange, user clients obtain access tokens needed to use Workspaces and Web Access.
When users first access Workspaces or Web Access, they are redirected to authenticate using Identity Server. Once authenticated, they are logged in and no longer need to authenticate for either Workspaces or Web Access until a configurable number of days has passed. Users can choose to authenticate either using an explicit logon or using Windows authentication.
Please check the below resources to better understand the Identity Server, OAuth2 and OpenID technologies.
How Identity Server Works (source: Welcome to IdentityServer4 — IdentityServer4 1.0.0 documentation )
When an enterprise user or an external application tries to access content stored on a company’s web server, the policy agent intercepts the request and directs it to Identity Server. Identity Server asks the user to present credentials such as a username and password. If the credentials match those stored in the central Directory Server, Identity Server verifies that the user is who he says he is. Next, Identity Server evaluates the policies associated with the user’s identity, and then determines whether the user is allowed to view the requested information.
Finally, Identity Server either grants or denies the user access to the information. The below figure illustrates one way Identity Server can be configured to act as the gatekeeper to a company’s information resources.
Pic.1. Identity Server as the gatekeeper
Identity Server consolidates four major features into a single product that can be viewed in a single administration console:
General Overview - An Introduction to OAuth 2
Abstract Process Flow (source: https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2).
Pic.2. Abstract Process Flow
1. The application requests authorization to access service resources from the user
2. If the user authorized the request, the application receives an authorization grant
3. The application requests an access token from the authorization server (API) by presenting authentication of its own identity, and the authorization grant
4. If the application identity is authenticated and the authorization grant is valid, the authorization server (API) issues an access token to the application. Authorization is complete.
5. The application requests the resource from the resource server (API) and presents the access token for authentication
6. If the access token is valid, the resource server (API) serves the resource to the application
The actual flow of this process will differ depending on the authorization grant type in use, but this is the general idea.
OAuth 2 and OpenID - Additional Sources
ClientID and Secret Server
1. OAuth requires a ClientID and a Server Secret from clients.
2. Configuration Center only allows the configuration of the Server Secret
3. If you make change in tps.config, it will be overwritten with the next change in Configuration Center
4. Service Desk will add additional - non - OAuth compliant - URL parts into Server URL. This makes impossible to connect to any other OAuth service (e.g. Google)
Identity Server Configuration (Configuration Center)
In order to use Identity Server logon policy, you need to have Identity Server application.
To configure Identity Server, edit the application. The Identity Server Secret must be generated and then used for other applications (Framework, Web Access, BridgeIT). When Identity Server application is being installed in Configuration Center, the Identity Server Secret is being generated automatically. Please make sure that every application is being updated by the Identity Server Secret and it is the same for every application (Framework, Web Access, BridgeIT) as in the Identity Server application if you want to use this logon policy.
To allow Explicit and Integrated Logins, set Allow Explicit Logins to True and Allow Windows Logins to True.
Pic.3. Identity Server Configuration
Pic.4. Identity Server Configuration - User Consent Description (Days) - after selected time user will receive the confirmation window as on Pic. 12
Pic.5. Framework Configuration to use Identity Server logon policy
Pic.6. BridgeIT (Workspaces) Configuration to use Identity Server logon policy also with Integrated Logins
Pic.7. Web Access Configuration to use Identity Server logon policy also with Integrated Logins
Authentication Configuration in IIS
Pic.8. Identity Server application - authentication - IIS
Pic.9. Framework application - authentication - IIS
Pic.10. BridgeIT application - authentication - IIS
Pic. 11. Web Access application - authentication - IIS
Logging into BridgeIT
Pic.12. Logging into BridgeIT with Identity Server logon policy - authorization page
When logging to BridgeIT, unfortunately, currently with Identity Server configuration, Sing out button is not available. In this case, closing the browser ends the session.
Pic.13. Missing sign out button
Logging into Self Service
Pic.14. Logging into Web Access (Self Service) with Identity Server logon policy - authorization page
Pic.15. Logging into Web Access (Self Service) with Identity Server logon policy
Pic. 16. End User using Self Service with Identity Server logon policy
Pic. 17. Logout page - Self Service with Identity Server logon policy
User configuration in Console
Pic. 18. End User configuration in Console (make sure that the user has Network Login added for Identity Logon Policy to be used). After first login the token is being created (as on the above screenshot).
Issues logging into the Workspaces/Self Service
If you are experiencing the below issue in Workspaces or Web Access (Self Service), please refer to the article Integrated Login into Web Access or BridgeIT failes via Identity Server in SD 2016.4 . Please also check if Framework, BridgeIT and Web Access applications are properly configured and if the user has the network login added. Please also make sure that the Framework is also configured to use Identity Sever logon policy. Please also check the authentication settings in IIS to set them as in Authentication Configuration in IIS section
Pic. 19. Error Logging into Workspaces