We were recently asked to recommend an approach where a project team could test the migration from an existing authentication model to SAML (Security Assertion Markup Language) without impacting on the user’s ability to access Passwordstate.
In the example for this blog, we’re currently set for SSO (Single Sign-On) using Passthrough Authentication. All clients are Windows based.
Don’t Use Your Own Account!
First things first. Don’t be tempted to just test the changes to your own account. Especially if your account is a Security Administrators account. The last thing you’ll want to be doing is repeatedly logging in with the Emergency Access account to reverse any changes if you get the SAML configuration wrong.
Take the time, and obtain any relevant approvals required, to establish a valid test account. This should be setup comparable to that of a typical user. This sort of account can be especially useful across a number of scenarios, including testing folder and password list permissions, User Account Policies etc. and you can (should) always disable the account when not actively using it.
Disable Anonymous Authentication
Next, you should temporarily disable Anonymous Authentication in IIS (Internet Information Services). This can be done by running the Internet Information Service (IIS) Manager Desktop App, navigating to the Passwordstate website, clicking on Authentication icon, selecting Anonymous Authentication and right clicking to get the Disable option as per the image below;
Once this has been done, you’ll need to set the Passwordstate system wide Authentication settings to Manual Login Authentication. This will mean that users will be prompted to enter their AD credentials to login to Passwordstate while you’re testing.
To do this you’ll navigate to Administration->System Settings->authentication options->Web Authentication Options and select Manual Login Authentication from the Choose Authentication Option: drop down list as shown below (don’t forget to click Save at the bottom of the page),
Set your Test Account for SAML Authentication
Now, you can log in using your test account, and change the authentication option to SAML 2 Authentication under Preferences->authentication options->Web Authentication Option and select the SAML option from the Choose Authentication Option: drop down list then click Save,
You can now log out of Passwordstate and on logging back in again you should be redirected to your SAML provider. You’ll need to login there and if the authentication settings are correct, you’ll be redirected back to Passwordstate and automatically logged in.
Note: the reason why you’re logging in twice is Passwordstate only identifies your account once the credentials have been submitted (remember Anonymous Authentication is disabled) and you’ve set a preference for using SAML authentication. Once it is set as the system wide setting all users, on navigating to the login URL, will be redirected to the SAML providers authentication screen.
Don’t Forget The SAML Authentication Settings…
These are set under Administration->System Settings->authentication options-> Primary Site’s SAML2 Authentication Settings and would need the following fields filled out,
The above represents an effective way to test the configuration and migration to SAML authentication while minimizing the impact to your users. Once you’ve got it working correctly you can then swap over for all users by changing Administration->System Settings->authentication options->Web Authentication Options and select SAML 2 Authentication from the Choose Authentication Option: drop down list.
If you run a mixed client environment then unfortunately you can’t disable Anonymous Authentication in IIS. This is a limitation with non windows clients, and IIS. And once you are using SAML2 Authentication as the system wide authentication setting your users won’t be able to set an individual preference for authentication.
Share your feedback by emailing it through to support@clickstudios.com.au.