Triển khai gói giải pháp SSO cho Live@edu trên Windows Server 2008 & Windows Server 2008 R2


 

Applies to: Live@edu

Topic Last Modified: Nov 2011

A single sign-on solution lets users move between on-premises resources and the cloud without having to sign in multiple times. You can add a single sign-on solution to an existing Web portal by using the single sign-on software development kit (SSO SDK) provided by the Microsoft Live@edu program. This will let you map on-premises credentials to Windows Live IDs so you can customize your Web portal to enable pre-authentication of users and add an e-mail entry point. Users can then access their cloud-based mailbox from your Web portal without having to provide a different set of credentials.

Note The SSO SDK includes a complete guide to implementation.

Requirements

The SSO SDK requires the following:

1. All users who access the SSO solution must have credentials in your internal directory service and a Windows Live ID that’s used to access the service.

2. A Web portal where users authenticate.

3. Your domain must have short-lived token (SLT) functionality enabled. Note We set this up for you after you make your SSO request in the Live@edu Service Management Portal.

The server where you implement the SSO solution has to meet the following requirements.

Prerequisite

Description

Operating system

Windows Server 2003 or Windows Server 2008

Software

Microsoft .NET Framework 2.0 or later

Security certificate

The security certificate is used to authenticate to Windows Live servers.

 

Note We provide the certificate to you after you make your SSO request in the Live@edu Service Management Portal.

 

 Next steps

In the Live@edu service management portal, select Single sign-on. Then, click Request SSO Support to request the SSO SDK and certificate.

 

After we process your request, we’ll send you an e-mail message that includes instructions about how to download the SSO SDK and certificate. This e-mail will be sent to the administrator account for your domain and any additional contacts on your account record. You can update your account record by signing in to the Live@edu Service Management Portal and clicking Institution Profile. Windows Live ID services will enable SLT functionality for your domain.

For more information about user authentication, see Live@edu Authentication Scenarios.

Managing your security certificate

After you’ve set up SSO, you must keep your certificate current. If the certificate expires, users won’t be able to sign in. Starting a month prior to the expiration date, you’ll receive an e-mail notification with instructions for how to update your certificate. These notifications will be sent to the addresses listed for your domain on the Institution Profile page of the Live@edu Service Management Portal.

To check when your certificate is due to expire, type the Web address of your sign-in page in your browser, click the yellow padlock icon, click View Certificates, and then look in the Valid from field.

 

Live@edu Authentication Scenarios

By default, users with cloud-based mailboxes sign in with their Windows Live ID. However, if your users already have credentials that they use to authenticate to an on-premises directory service, you have several options. Let’s take a look at the various scenarios.

Authentication scenario 

Description

Other considerations 

Windows Live ID only

 

Users don’t have authentication credentials that they use to access on-premises resources. Users authenticate using Windows Live ID.

None

 

Separate credentials

 

Users have on-premises credentials that they use to access on-premises resources, and they have a Windows Live ID that they use to authenticate. User names and passwords have to be managed separately.

This scenario is appropriate when users authenticate to only a few on-premises resources, or when their on-premises user name is a standardized format, such as a student identification number. The Windows Live ID can provide a personalized identity.

Single sign-on (SSO)

 

A single sign-on solution lets users move between on-premises resources and the cloud-based service without having to sign in multiple times. You can use the single sign-on software development kit (SSO SDK) that is provided by the Microsoft Live@edu program to add a single sign-on solution to an existing Web portal. You customize your Web portal to enable pre-authentication of users by mapping on-premises credentials to Windows Live ID and to add an e-mail entry point. Then, users can access their cloud-based mailbox from your Web portal without having to provide a different set of credentials.

Users have to know their Windows Live ID and password to authenticate the first time that they use instant messaging in Outlook Web App. You may want to provide their Windows Live ID and password to new users even if the primary access to the cloud-based service is through your Web portal. If you provision user accounts by using Microsoft Forefront Identity Manager (FIM) 2010 or Microsoft Identity Lifecycle Manager (ILM) 2007 FP1 or Outlook Live Directory Sync (OLSync), you can set up the Password Change Notification Service (PCNS) to synchronize Windows Live ID and on-premises passwords.

Password synchronization

This option is available if you are using ILM or OLSync to provision user accounts. User account names are typically created to match on-premises credentials, and you use PCNS to synchronize passwords. Password changes that originate in your directory service are propagated to the cloud-based service.

Although the password used to access both on-premises resources and the cloud-based service is the same, users have to re-enter their credentials when they move between environments. For the most seamless user authentication experience, you can combine SSO and PCNS.

 

Next steps

After you decide how to authenticate users, you’re ready to generate a deployment guide. Go to Outlook Live for Live@edu.
Install Steps for Microsoft Live@Edu SSO (Single-Sign-On) on Windows 2008 and Windows 2008 R2

Step 1:

I assume you’ve already registered your site to use SSO with Microsoft and they have sent you a certificate to use. I had to work with them as the cert they sent was invalid but hopefully you have better luck than I did and it works on the first request. If you need it you must setup with Microsoft the Windows LiveID SSO Kit. if you haven’t already done this go to the Live@edu service management portal (http://eduadmin.live.com/ ), select Single sign-on. Then, click Request SSO Support to request the SSO SDK and certificate.

Download Newest Version – Microsoft Live@Edu SSO and extract contents on the server we’re going to be configuring and working from the same server do the following.

http://go.microsoft.com/fwlink/?LinkID=154482&clcid=0x409

 

Step 2: Import the Microsoft Certificate

  1. Open MMC

1.       Add snap in for Certificates

2.       Chose computer account – local computer

3.       Navigate to Personal Certs

4.       Import the Cert Microsoft sent you for SSO

·         Mark as exportable, no password needed

·         If imported a sapipartner.com entry should be added

·         Right click the sapipartner.com and chose all tasks

o   Manage Private keys

o   Add everyone full and give full access

o   Need to sit down and figure out what is actually needed but this works

Install Microsoft Passport RPS (Relying Party Suite)

 

  • From the extracted folder Install rps64.msi

·         Warning: You must launch the msi with compatibility mode.

·         Chose Production

·         RPSServer.xml

·         leave rpscomponent.xml blank

·         leave sitename and everything else blank

·         leave DEK and everything else blank

·         NT AUTHORITY\NetworkService

·         navigate to c:\Program Files\Microsoft Passport RPS

copy RPSNetwork.xml to c:\Program Files\Microsoft Passport RPS\config

  • Test Microsoft Passport RPS by running rpsDiag.exe

·         click run

·         All should be green, if not use the errors and fix till they are all Sucessfull

 

Install winhttpcertcfg.msi

open a Administrative command window to “C:\Program Files (x86)\Windows Resource Kits\Tools”

Run the following

winhttpcertcfg.exe -g -a %ComputerName%\NetworkService -c LOCAL_MACHINE\My -s sapipartner.com

Check that granting private key access for account NT Authority\NetworkService works

Create Web Site

  • Install Web Services Role (IIS)

·         Enable management Features

•Copy SSOPortal folder from Microsoft Live@Edu SSO extracted folder  to C:\inetpub\wwwroot\

•Edit web.config – This is very important, there are notes that come in the Microsoft Live@Edu SSO extracted folder on what to change.

•Open IIS Manager

·         Convert SSOPortal an application.

·         Change the authentication to windows

·         Disable anonymous Authentication

Test the SSOPortal site with http://(servername)/SSOPortal/default.aspx

 

Warning: The following was only needed for Windows 2008 R2

•Open MMC (fix only for 2008 R2)

·         add snap-in “Component Services”

·         open till DCOM Config

·         open properties on RPSSvc

Under Security

Give everyone full access

Need to sit down and figure out what is actually needed but this works

 

About thangletoan

Hallo Aloha

Posted on 28/06/2012, in Live@edu, SSO, Windows Server 2008, Windows Server 2008 R2 and tagged , . Bookmark the permalink. 1 Phản hồi.

  1. It is truly a nice and helpful piece of info. I’m happy that you shared this useful information with us. Please keep us up to date like this. Thank you for sharing.

Gửi phản hồi

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập:

WordPress.com Logo

Bạn đang bình luận bằng tài khoản WordPress.com Log Out / Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Log Out / Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Log Out / Thay đổi )

Google+ photo

Bạn đang bình luận bằng tài khoản Google+ Log Out / Thay đổi )

Connecting to %s

%d bloggers like this: