Installing and Licensing EmpowerID

A typical installation of EmpowerID involves restoring the EmpowerID database to your SQL server, extracting the EmpowerID.msi, making a few installation option choices in the installation wizard, and using the EmpowerID Local Settings Tool to license your copy of EmpowerID as well as to configure default email settings, certificates, IIS Web Sites, and the EmpowerID Windows services.

The User Account Control (UAC) in Windows must be turned off for the installation of EmpowerID. All settings should be disabled in secpol.msc before proceeding.
Please note that installing EmpowerID on a domain controller or on the same server that houses the EmpowerID SQL database is not supported in a production environment.
To ensure a smooth install, make sure EmpowerID files, including websites and programs, are excluded from anti-virus scanning software settings.

To install and license EmpowerID

  1. From the EmpowerID build folder, copy the EmpowerID Database .bak file to the server hosting your SQL Server.
  2. From SQL Server, restore the EmpowerID Database. The user account must have the right to restore a SQL database.

  3. Back in the EmpowerID build folder, double-click the EmpowerID Server installation file to extract the EmpowerID.msi.
  4. After extracting the MSI, the InstallShield Wizard for EmpowerID opens. Click Next to begin the installation.
  5. Accept the license agreement and click Next to continue.
  6. .

  7. Review the path where EmpowerID will be installed and click Next. If you want to install EmpowerID in a different directory, click the Change button to choose a new path and then click Next.
  8. Click Install to begin the installation.
  9. Wait for the Server Setup to complete the installation and then click Finish.
  10. This opens the EmpowerID Configurator. You use this to connect EmpowerID to your SQL server, license your copy of EmpowerID as well as to configure default email settings, certificates, IIS Web Sites, and the EmpowerID Windows services.

  11. From the General Settings pane of the EmpowerID Configurator, do the following:
    1. In the SMTP Server field, type the FQDN of the Exchange server EmpowerID should use for sending any automated emails generated by the system.
    2. In the Email Address field, type the default email address EmpowerID should use for sending any automated emails generated by the system.
    3. Type the licensing key you received from EmpowerID in the License Key field and then click the Add License File (...) button.
    4. In the Open File dialog that appears, locate and select the EmpowerID License File (.eidlic) you received from EmpowerID and then clickOpen.
  12. From the SQL Connection pane of the EmpowerID Configurator, do the following:
    1. Type the name or IP address of the SQL server you are using for EmpowerID in the Server Name field.
    2. Underneath Authentication, select Windows Authentication.
    3. Select the EmpowerID database from the Database Name drop-down.
    4. Test the connection by clicking Test Connection.
    5. Click OK to close the connection message.
  13. From the Web Server pane of the EmpowerID Configurator, do the following:
    1. Type the FQDN of your EmpowerID Web server in the Web Server URLfield. Be sure to use the https scheme.
    2. Select an existing Web site to host the EmpowerID Web application from the IIS Website drop-down or enter a name to create a new site. By default, EmpowerID selects the Default Web site.
    3. Under SSL Certificate, click Browse, choose whether to select the SSL certificate from the local certificate store or browse for the certificate PFX file and then click OK.
    4. Locate and select the SSL certificate you want to use to encrypt and decrypt EmpowerID communications and click Open. In the below image, we selected a PFX file stored on the local machine.
    5. Type the certificate password in the Password field of the Enter Certificate Password dialog and click OK.
    6. You can generate a test certificate by clicking the Generate button. Certificates generated in this way should not be used in production.
    7. Under Federation Certificate, click the Browse button and select the STS certificate EmpowerID should use for signing SAML assertions. The format for the certificate is PFX.
    8. This certificate can be the same certificate as the one you selected for SSL.
    9. Type the certificate password in the Password field of the Enter Certificate Password dialog and click OK.
    10. Type the user name and password for the account running the application pools in the Username and Password fields, respectively. This account must have the appropriate access levels to read from and write to the EmpowerID Identity Warehouse.
  14. From the Web Applications pane of the EmpowerID Configurator, do the following:
    1. Underneath Internal Web Applications, select each EmpowerID Web application you want to install on the Web server. These applications include the following:
      • Exchange Services - This application manages all Exchange-related requests.
      • Web Services - This application manages all WCF service calls not handled by other EmpowerID services.
      • Workflow Web Services - This application manages all traffic related to workflow requests made to EmpowerID.
      • SQL Web Services - This application manages all SQL over WCF traffic.
      • Web Service Garden - This application manages any EmpowerID processes that need to scale based on load, spooling up multiple worker threads to distribute the load and provide high availability.
    2. Underneath External Web Applications, select each EmpowerID Web application you want to install on the Web server. These applications include the following:
      • Service Provider This application manages all EmpowerID Service Provider traffic for the EmpowerID Web application.
      • API - This application provides the functionality for making Web API calls to EmpowerID.
      • Web CDN - This application contains the CSS, Image and script files used by the EmpowerID Web application.
      • Reporting Services - This application provides the functionality for integrating and managing Microsoft Reporting Services with EmpowerID.
      • If desired, you can edit the default Web Application Name for each external web application to match your branding. To do so, double-click the field that corresponds to the web application you want to change and enter the new name.
    3. Underneath Identity Providers, select each identity provider application you want to install on the Web server. These applications include the following:
      • OAuth - Provides support for OAuth.
      • Forms IdP - Provides support for native forms authentication to the EmpowerID SP.
      • Windows IdP - Provides support for Windows authentication to the EmpowerID SP.
      • SmartCard IdP - Provides support for SmartCard certificate-based authentication to the EmpowerID SP.
      • WSFederation IdP - Internally handles packet traffic sent to EmpowerID from WS-Federation service providers.
      • If desired, you can edit the default name for each identity to match your branding. To do so, double-click the field that corresponds to the identity provider you want to change and enter the new name.
  15. From the Services pane of the EmpowerID Configurator, do the following:
    1. Underneath Identity Providers, select each EmpowerID Windows service you want to install on the server, providing the user name and password for the identity that is to run each. These services include the following:
      • EmpowerID Web Role Service - This service is required on all EmpowerID Web servers and is responsible for managing workflow-related services and global assembly cache content synchronization.
      • EmpowerID Worker Role Service - This service must be on a server with IIS installed and is responsible for processing the EmpowerID Web Service Garden as well as running scheduled EmpowerID jobs and long running tasks, such as RBAC security compilation and inventory processing.
      • EmpowerID Radius Service - This service provides RADIUS authentication for routers, switches and other RADIUS-compliant devices.
    2. If you are using Reporting Services for EmpowerID reports, underneath Reporting Services do the following:
      1. Type your report server web service URL in the Report Server URL field.
      2. The the report server folder name in the Report Server Folder field.
      3. The SAML service provider connection for SSRS in the SAML Connection field.
  16. From the Miscellaneous pane of the EmpowerID Configurator do the following:
    1. If you want to use a separate CDN (Content Delivery Network) in place of your default EmpowerID Web server to deliver the CSS, image and script files used by the EmpowerID Web application and type the URL to the CDN in the CDN Server URL field. You can deploy EmpowerID's static content to a separate, resolvable server (with a different DNS), or you can deliver the content to a true CDN with replication and geographical load-balancing, such as those offered by AWS or Azure. Using a separate CDN in this way can improve response times because the browser caches the content and EmpowerID refrains from sending cookies on each call (as it does in the default configuration).
    2. Deselect Enable Minification if you do not want to minify the CSS and JavaScript files. Please note that minification is recommended.
  17. Optionally, from the Export Options pane, do the following:
    1. Select each file you want to export.
    2. Click the EmpowerID MSI ellipses button (...) and browse to the EmpowerID MSI file location on your server.
    3. Select the MSI and click Open.
    4. Select the folder for the exported files by clicking the Output Folder ellipses (...) button and browsing to the desired folder.
    5. Click Export.
    6. Click OK to close the Export Success message.
    7. Exporting files in this way is useful if you need to import your configuration settings when re-installing EmpowerID or installing EmpowerID on another server.
  18. After completing the configuration settings, click Save.
  19. Click OK to close the Settings Saved message.
  20. Click Close to close the EmpowerID Configurator.
Once you have completed the installation of EmpowerID, you need to verify the EmpowerID Web Role service is running to allow EmpowerID to GAC the necessary DLLs. This process can take up to eight minutes. Once the DLLs have been GAC'd, you should start the EmpowerID Worker Role. Additionally, you will need to start the EmpowerID Radius service if you are using this feature in EmpowerID.