stefan.ahsberg1

Best practices setting up Federated authentication with SAML to work with Snow License Manager

Discussion created by stefan.ahsberg1 on Mar 27, 2019
Latest reply on Jul 26, 2019 by kishan.pant@chemtrolsinfotech.com

When you want to setup Federated Authentication with SAML to secure access to your Snow License Manager server, your first stop should be to read the user guide on the topic for Snow License Manager 9 (link: SLM9_UG_Federatedauthentication )

 

Note: the guide specifies Snow License Manager Enterprise Edt. 8.1.1 or higher. For the purpose of this article, SLM 9.0.1, installed on-premise, was used. Also, SAML is currently not supported on SPE, for more information please see:
https://community.snowsoftware.com/ideas/1292
https://community.snowsoftware.com/message/21449-single-sign-on-sso-options-for-snow

 

Having read the guide, your next step will probably be to create a user for Snow License Manager in SMACC. The user should be created with the same username as it will be provided in the SAML ticket from the Identity Provider, best practice is to set the email-address as the username.

 

 

There are a couple of additions to be made to the web.config file in the web root folder of your Snow License manager installation, and in the user guide you can see which they are and in which section to add them.

 

 

In the guide you will also find examples of several of the Identity Providers that Snow supports integration together with, including different settings you can configure when you create the SAML configuration file (e.g snow.saml.config).

 

 

This SAML configuration file must be placed in the web-folder of your installation directory of Snow License Manager. The default path is C:\Program Files\Snow Software\Snow License Manager\Web.

 

The below is an example configuration file using Shibboleth with a private key from the Snow License Manager’s local Certificate store:

 

<?xml version="1.0"?>

<Configuration>

    <ServiceProvider Name="<https://your-slm-server.com"

                    LocalCertificateThumbprint="1234ABCD5678EFGH9012IJKL3456MNOP7890QRST" />

<Profiles>

    <Profile Name=""https://idp.testshib.org/idp/shibboleth"

        SignAuthnRequest="true"

        WantSAMLResponseSigned="true"

        WantAssertionSigned="true"

        WantAssertionEncrypted="true"

        UseEmbeddedCertificate="true"

        SignatureMethod="http://www.w3.org/2000/09/xmldsig#rsa-sha1"  

        SingleSignOnServiceUrl="https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO"

        />

</Profiles>

</Configuration>

 

Please note that several optional settings section from the user guide example have been omitted in the above example simply because they contain no value, i.e. “”.



Another best practice would be to verify that certificate private key has ‘Read’ permissions on the Applications pool user (normally NETWORK SERVICE) for the Snow License Manager website. If it is not there – you need to add it.

 

 

This can be done in Microsoft’s Management Console and the Certificates Snap-in when managing private keys. If it isn’t configured properly you may see the Snow License Manager login page instead of the login page for the Identity Provider.

 

After making changes to the web.config file and adding the SAML-configuration file you need to restart Snow License Manager IIS website. Best practice would be to run “iisreset” from an elevated command prompt, after which things should now be working as expected when you browse to your SLM-server.

 

If you would like to bypass the federated authentication you can force a local logon by browsing to your Snow License Manager server by using:
https://localhost/Pages/Login.aspx?ForceLocalLogon=true
(where localhost is the address of your Snow License Manager server)

 

If you run into problems while setting up federated authentication and need to contact the support, please provide the following files in addition to your problem description:

  • Web.config file (C:\Program Files\Snow Software\Snow License Manager\Web)
  • SAML-config file (C:\Program Files\Snow Software\Snow License Manager\Web)
  • Security log file (C:\Program Files\Snow Software\Snow License Manager\Web\Logs\Security)
  • Error log file (C:\Program Files\Snow Software\Snow License Manager\Web\Logs\Error)

 

Good luck with setting up Federated Authentication in your environment!

Outcomes