Important Update: Archer Community Scheduled Maintenance on November 23–24 - New Community Launching Soon! Learn More..

This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
No ratings

Set Up Mutual Authentication and HTTP Header for Single Sign on Integration with Archer

KB-Sync1
Archer Employee
Archer Employee

on ‎2020-12-11 06:06 AM - edited on ‎2024-09-21 06:57 AM by

Article Number

000036280


Applies To


Product(s): Archer
Version(s): All Versions
Primary Deployment: On Premises

Description


There are 2 main use cases for setting up mutual authentication through the use of client certificate:
  1. Added security between the user and the Archer server. In other words, the Archer would need to trust the user who is logging into Archer by making the user present a client certificate which Archer knows about
  2. For Single Sign On using HTTP header, the client can present the username in the HTTP header without presenting the password to Archer. Archer will allow the user to access the system as long as the user is defined within Archer, no password is required for further authentication. By introducing the client certificate, it allows a more secure way to access Archer.
This article describes the process of using HTTP header for passing user details to Archer, install client authentication in IIS, importing the certificate to IIS and configure Archer applications to work with client authentications.
 

Resolution


Section 1. Setup HTTP header on Archer
  1. Login to Archer through RDP and open Archer Control Panel
  2. Double click on the instance name, e.g: Archer
  3. Go to the Single Sign On section
  4. Select HTTP header and select allow manual bypass. Then fill in the parameters
  • Username parameter. e.g: XXXXXXX
  • (optional) domain parameter. Only needed if you are performing LDAP sync from Archer to a LDAP source (AD)
0EMVM000006zRW5.png0EMVM000006zRW5.png
5. Click save all to save all changes
6. The Archer server needs to go to download the certificate revocation list as part of the validation process. If the Archer server needs to go through proxy to the Internet, then configure the proxy server settings in Installation settings -> proxy section.
7. Following 6, configure proxy settings as well for Windows in general by going to IE -> internet options -> connections -> Lan settings

Section 2: Install client authentication in IIS
1. Login to Archer through RDP and open Windows server manager
2. Go to manage -> add roles and features
0EMVM000006zTUf.png0EMVM000006zTUf.png
3. Click next until you reach the manage roles section
4. Expand Web Server (IIS) -> Web Server -> Security -> Select IIS Client Certificate Mapping Authentication and Client Certificate Mapping
0EMVM000006zNNe.png0EMVM000006zNNe.png
5. Continue to click next to install the features

Section 3: Import certificates to IIS
1. Produce the client certificate from your desired tool. Note the certificate will contain the public key only and needs to be in Base-64 encoding. Remove the header and footer (----Begin Certificate---, ----End Certificate---) and remove all carriage return so that the certificate is in a single line.
0EMVM000006zVbJ.png0EMVM000006zVbJ.png
0EMVM000006zJTj.png0EMVM000006zJTj.png
 
 2. Go to IIS -> <server> -> Default Website -> select Configuration editor -> Go to System.webserver -> security -> authentication -> iisClientCertificateMappingAuthentication.
0EMVM0000071817.png0EMVM0000071817.png
 
3.Set enabled to True, manyToOneCertificateMappingsEnabled to True and oneToOneCertificateMappingsEnabled to True
0EMVM00000718An.png0EMVM00000718An.png
 
4. Select One to one Mappings, click on icon on right hand side
0EMVM00000718M5.png0EMVM00000718M5.png
 
5. Click Add
0EMVM00000715GA.png0EMVM00000715GA.png
 
6. Populate the certificate obtained in (1) into the certificate field. Then populate the username and password of the service account running the Archer application pool. Click the “x” to close the existing window.
0EMVM00000719A5.png0EMVM00000719A5.png
 
7. Click Apply to save the changes
0EMVM000007198Z.png0EMVM000007198Z.png
Section 4: Configure Archer applications to work with client authentication
 
 1. Go to IIS -> <server> -> Default website -> Archer
 2. Perform the following changes on the following sections:
0EMVM0000071AR7.png0EMVM0000071AR7.png
Note: See screenshot below for sample settings for Archer folder.

SSL Settings
0EMVM0000071CCn.png0EMVM0000071CCn.png

0EMVM00000717Jc.png0EMVM00000717Jc.png

Authentication
0EMVM00000715rG.png0EMVM00000715rG.png
0EMVM0000071DdV.png0EMVM0000071DdV.png

Configuration Editor -> iisClientCertificateMappingAuthentication
0EMVM0000071ET7.png0EMVM0000071ET7.png
0EMVM0000071FPB.png0EMVM0000071FPB.png
3. Open command prompt and enter command : iisreset

 
Appendix A: Requirement for client certificate and usage
The client certificate presented to IIS must met the following requirements:
1. It has a purpose for client authentication
0EMVM0000071BIN.png0EMVM0000071BIN.png
 
2. It needs to be signed by internal CA or external CA
0EMVM0000071GjR.png0EMVM0000071GjR.png

3. If it’s signed by external CA, the Archer server needs to have access to the internet to check for certificate revocation list

Section 3: Testing - To use the client certificate to authenticate to Archer
1. Import the certificate into the personal store of the user account. The certificate needs to contain the private key
0EMVM00000716NX.png0EMVM00000716NX.png
0EMVM0000071IV7.png0EMVM0000071IV7.png
2. Login to Archer using the normal URL (https://<Sever/Archer>). You will then prompt to present the certificate which you have imported
0EMVM0000071IoT.png0EMVM0000071IoT.png
3. Select the certificate, then click “ok”. You should now see the Archer login screen and continue to proceed to login.
0EMVM0000071G9z.png0EMVM0000071G9z.png
4. In the case of using HTTP header for Single Sign on, you will be logged in to Archer immediately as long as the HTTP header contains a valid username in the username parameter. You can use chrome extension such as “ModHeader” to add the HTTP header in the request.
0EMVM0000071JMM.png0EMVM0000071JMM.png

0 Kudos
Version history
Last update:
‎2024-09-21 06:57 AM
Updated by: