Application Configuration Settings

To register an application for use with EmpowerID, you must first create a record for the application in the EmpowerID Identity Warehouse and specify the appropriate configuration settings for it. You do this by accessing the Application Management page and clicking the Create Application action link. Doing so opens the Create Application page. The Create Application page contains numerous tabs and fields for providing EmpowerID with all the relevant information about the application. This topic provides an overview of this page.

The following image shows the Create Application page that appears when registering an application in EmpowerID.

The page's form is divided into the following sections:

  • General Settings - This section provides fields for specifying general application settings common to most application types.
  • Single Sign-On Settings - If the application is a service provider that requires users authenticate to access resources, you use this section to configure Single Sign-On (SSO) for the application.
  • Users Settings - This section provides settings for linking the application with an account directory.
  • Group Settings - This section provides settings for adding existing groups to the application.
  • Application Subcomponents Settings - This section provides settings for adding child applications, pages, controls, reports and more to the application, when applicable. If the application has sub-components, adding them to the application configuration allows you to secure those sub-components to help with restricting or delegating access to those sub-components.

General Settings

This section provides fields for specifying general application settings common to most application types.

  • Name - This is the name of application. This field is required.
  • Display Name - This is the name of the application that displays to users on the EmpowerID User Interfaces. This field is required.
  • Description - This is a description of the application. This field is required.
  • Icon - This is the icon associated with the application. EmpowerID links the icon to an application tile that users can click to access the application once they have been granted an account for the application. The URL specifies the specific tile that is displayed for the SSO application.
  • Allow Access Requests - Specifies whether the application appears in the IT Shop. Items in the IT Shop can be requested and/or claimed by users.
  • Allow Claim Account - Specifies whether users can claim ownership of an application account from the IT Shop. Users who claim accounts, must provide their login from the SSO application as EmpowerID passes the login to the application as an assertion of the user's identity. If the login is incorrect, the assertion will be rejected by the application.
  • SSO Enabled - Specifies whether the application is an SSO app.
  • Requires Account For SSO - Specifies whether users must have an account in the application for SSO.
  • Allow Request Account - Specifies whether users can request an account in the application. All account requests route to the application owner and other delegated users with the authority to provision new accounts in the application.
  • Login Is Email Address - Specifies whether the application expects usernames to be formatted as email addresses.
  • Make me the Application Owner - Specifies whether the person creating the application is the application owner. Application owners can grant or deny access requests.
  • Configure Advanced Claim and Request Account Options - Specifies whether custom pages and workflows are to be used for claiming, requesting, editing and deleting application accounts. If this option is selected, the page displays additional settings that can be used for setting the custom pages and workflows to be used.

Single Sign-On Settings

If the application is a service provider that requires users authenticate to access resources, you can configure Single Sign-On (SSO) for the application from this section of the form.

  • Single Sign-On Connection Type - Specifies the SSO connection type for the application, when applicable. Depending on the type selected, the form provides different options.
    • Browser Extension SSO - Used to allow users to SSO into their personal applications without requiring federation between those applications and EmpowerID. The Browser Extension SSO application "learns" the login screen for any Web application and allows users to vault their credentials for those applications for easy SSO.
    • Password Vault - Used for applications that do not support the use of SAML or WS-Federation, but require users submit their credentials via a form on a Web site before access to the site is granted.
    • For Password Vaulted applications, EmpowerID securely stores the usernames and passwords associated with each user's account in that application in the EmpowerID Identity Warehouse. When a user logs in to a Password Vault application from EmpowerID, EmpowerID submits the user's username and password to the application through HTTP Post. If users change the passwords associated with the application, they must change their Password Vault application passwords in EmpowerID to avoid login failures.

      When registering a Password Vault application in EmpowerID you are presented with the following configuration settings:

      • Password Vault Application Template - EmpowerID provides a number of Password Vault application templates out of the box that can be quickly configured for your specific implementations of each application. These templates include the following:
        • Final Builder
        • GoToMeeting
        • Jira
        • Jive Community Site
        • Salesforce
      • Certificate - This specifies the certificate used to sign the SAML assertion passed to EmpowerID.
      • Application-Specific Config - This is XML-formatted text used to specify the unique logon page URL for the organization's application instance.
    • SAML - Used for integrating applications that accept SAML transactions for identity federation. In SAML transactions, identity providers make an assertion about an authenticated user's identity, encrypt and sign the assertion, and pass that data to a service provider, where access decisions are made. When registering SAML applications in EmpowerID, you can select an existing SAML connection for the application (if one exists in your environment) or you can create a new SAML connection for the application. If you opt to create a new SAML connection, the form presents you with additional configuration settings for the application. These settings include the following:

      • SAML Application Template - EmpowerID provides a number of SAML Connections pre-configured for specific SAML applications, as well as a default connection that can be used as a starting point for creating connections for any other SAML-based applications. The SAML templates provided out of the box by EmpowerID include the following:
        • ADP - Allows you to quickly integrate your enterprise ADP application with EmpowerID.
        • Box - Allows you to quickly integrate your enterprise Box application with EmpowerID.
        • Concur - Allows you to quickly integrate your enterprise Concur application with EmpowerID.
        • Default - Provides basic configuration settings that can be used for building new SAML connections not provided out of the box by EmpowerID. This template is applied to each SAML application, even when selecting an application-specific connection, such as Google or ADP.
        • DropBox - Allows you to quickly integrate your enterprise DropBox application with EmpowerID.
        • Google - Allows you to quickly integrate your enterprise Google application with EmpowerID.
        • ReverseProxy - Allows you to quickly integrate a Reverse Proxy application with EmpowerID.
        • Salesforce - Allows you to quickly integrate your enterprise Salesforce application with EmpowerID.
        • SuccessFactors - Allows you to quickly integrate your enterprise SuccessFactors application with EmpowerID.
        • UltiPro - Allows you to quickly integrate your enterprise UltiPro application with EmpowerID.
        • Yammer - Allows you to quickly integrate your enterprise Yammer application with EmpowerID.
      • Display Name - This is the name of the SAML connection that appears to users on EmpowerID User Interfaces. This field is required.
      • Description - This is a description for the SAML connection.
      • SAML Submission Method - This specifies the method used by EmpowerID to submit SAML assertions to the application in accordance with the requirements of that application.
      • Currently EmpowerID only supports HTTP Post and HTTP Redirect binding for SAML submission.
      • SAML Name Identifier Format - This specifies the format of the SAML Name Identifier. The Name Identifier format depends on what the service provider expects and includes all possible SAML 1.1 and 2.0 options.
      • Certificate - Specifies the signing certificate used for the SAML connection.
      • If the certificate does not have a private key, the assertion to the service provider will not be signed. Additionally, the user defined as the owner of the EmpowerID IdP application pool must have the right to read the private key. You can grant this right in MMC.
      • Issuer - This value tells the SAML application where to direct the user's browser for an assertion of the user's identity.
      • Assertion Consumer URL - This specifies the URL to which the SAML assertion needs to be submitted for the application to process it.
      • Send RelayState to Provider? - Specifies whether the Relay State should be submitted to the application.
      • RelayState - Specifies the Relay State to be sent if Send RelayState to Provider? is selected.

    • WS-Federation - Used for integrating applications that employ the Security Token Service (STS) model for facilitating identity transactions, such as Office 365 and SharePoint. When registering WS-Federation applications in EmpowerID, you can select an existing WS-Fed connection for the application (if one exists in your environment) or you can create a new WS-Fed connection for the application. If you opt to create a new WS-Fed connection, the form presents you with additional configuration settings for the application. These settings include the following:
      • Display Name - This is the name of the WS-Fed connection that appears to users on EmpowerID User Interfaces. This field is required.
      • Description - This is a description for the WS-FED connection.
      • Issuer - This value tells the WS-Federation application where to direct the user's browser for an assertion of the user's identity.
      • Initiating URL - This specifies the link to the external service provider that is used to initiate login using EmpowerID. Clicking the tile for the application would navigate the user to the external site (e.g. https://powerdms.com/ui/Login.aspx) which would redirect the user back to EmpowerID with a WS-Federation Sign-In Request. This field is required.
      • Return URL Override - Allows you to direct the WS-Federation token to go to a page other than what is specified in the Sign-In Request (or if there was no Sign-In Request, because it was initiated through EmpowerID).
      • Realm - This specifies the URI of the requesting realm.
      • Home Realm - This specifies the home realm of the IdP used for authentication.
      • Map To Account Claim Type - This specifies the token claim type, such as an email address, exchanged between EmpowerID and the WS-Federation application.
    • Web Access Management (Password Vault) - Used for integrating Web-based applications with EmpowerID in situations where you cannot alter the Web application with assemblies supplied by EmpowerID to process usernames inserted into HTTP headers. In situations like these, you can use password vaulting to pass the usernames and passwords directly to the Web application.
    • Please note that using this option requires writing the process in Node.js and inserting the file in the EmpowerID Proxy Server folder on your EmpowerID server. It is recommended that you use EmpowerID Professional Services staff for this.

      When registering Web Access Management (Password Vault) applications in EmpowerID you are presented with the following configuration settings:

      • Display Name - This is the name of the Web Access Management (WAM) connection that appears to users on EmpowerID User Interfaces. This field is required.
      • Base URL - This specifies the URL the user types in their browser to go to the application.
      • Description - This is a description for the Web Access Management connection.
      • Allow Anonymous Access to Unprotected Paths - This specifies whether anonymous users can access paths on the WAM application not specifically protected by EmpowerID.
      • Use Target Hostname in Requests - This specifies the home realm of the IdP used for authentication.
      • Certificate - This specifies the certificate used to sign SAML assertions. This field is required.
      • Password Vault Login Page URL - This specifies the path to the login page of the Web application being protected by EmpowerID. This field is required.
      • Password Vault Application Type - This specifies the JavaScript file used to duplicate the login requirements of the application. This field is required.
      • Routes - This specifies the specific paths (URLs) on the application to be protected by EmpowerID.

    • Web Access Management (HTTP Header) - Used for securing access to Web applications when those applications have been configured with assemblies from EmpowerID allowing for user identities to be passed to the application via HTTP Headers.
    • When registering Web Access Management (Password Vault) applications in EmpowerID you are presented with the following configuration settings:

      • Display Name - This is the name of the Web Access Management connection that appears to users on EmpowerID User Interfaces. This field is required.
      • Base URL - Specifies the URL you want users to type in their browsers to access the Web application you are registering.
      • Description - This is the name of the Web Access Management connection that appears to users on EmpowerID User Interfaces.
      • Allow Anonymous Access to Unprotected Paths - This specifies whether anonymous users can access paths on the WAM application not specifically protected by EmpowerID.
      • Use Target Hostname in Requests - Specifies whether the EmpowerID Proxy Server should alter the Host Header to include the target host name rather than the URL typed in to the browser's address bar by users.
      • Certificate - This specifies the certificate used to sign SAML assertions. This field is required.
      • Routes - Routes are used by the EmpowerID Proxy Server to translate the URLs requested by clients to the URLs where those requests can be serviced on the Web application.
      • To add a route
        1. Click the Add Routes (+) button on the Routes grid.
        2. This opens the Routes dialog, which is where you specify the routes to be protected. A description of the fields follows the image.

          • Name - Specifies the name of the Route.
          • Display Name - Specifies the name for the Route that you want to appear to users in the EmpowerID user interfaces.
          • Description - Specifies a description for the Route.
          • Source URL - Specifies the actual location on the Web application to which the Proxy Server is to fetch resources on behalf of clients. This value is a translation of the above Target URL.
          • User Entered URL - Specifies the URL to which you want users or clients to navigate via their browsers to access given resources on the Web application.
          • Max Connections - For future implementation.
          • Is Base URL - Specifies whether the route is the base URL of the Web application. At least one route must be a Base URL route and you can more than one route translate to the same Source URL. This is helpful for situations where load-balancing is needed. When this is the case, and more than one route is configured for a User Entered URL, the Reverse Proxy Server will service the requests in a round-robin fashion.
          • Is Offline - Specifies whether the route is offline. If a route is offline, the Reverse Proxy Server will not service it.
          • Use Sticky Sessions - For future implementation.

          The following image shows what the Base URL WAM Route for an application in our environment looks like. In the image, we have configured the route to translate the Source URL," http://www.andysbeans.com/andysbeans," typed by clients in their browsers to "http://sso.empowerid.com:8080/andysbeans", which is the real location of the application's base URL.

        3. After filling in the fields for the WAM Route, click Add.
        4. You should see the Added flag update from 0 to 1. Clicking on the flag allows you to review the WAM route you are adding to the application.

          You can remove a WAM Route by clicking the Undo button to the right of the route.

Users Settings

This section of the form provides settings for linking the application with an account directory.

When registering applications in EmpowerID, you must link those applications to an account directory. This is necessary for EmpowerID to control access to the application as well as for providing you the means for attesting the accounts owned by users in registered applications during audits. When linking applications to account directories, you can choose to create a new account directory specifically for the application or select an existing account directory that has already been registered in EmpowerID. If you choose to create a new account directory, EmpowerID creates a special type of account store internal to EmpowerID, known as a "tracking-only" account store. A tracking-only account store account exists as a container within EmpowerID for storing user and group records for SSO or Attestation without making a connection to any external directory associated with the application. Opting to create a new account store when registering applications in EmpowerID is advantageous in that doing so creates a one-to-one correlation between the account store and the application, as well as the SSO connection for the application, if used. You simply add your existing users and groups to the account store in the same way you would with Active Directory users and groups.

Group Settings

This section of the form provides settings for adding existing groups to the application.

To add a group, you click the Add (+) button in the group grid, search for and select the desired group. You then click the Add button to add the group to the application. When you add a group to an application, you are giving all the people in that group an account in the application.

Application Subcomponents Settings

This section of the form provides settings for adding applications, pages, controls, reports and more to the application as children of the application, when applicable. If the application has subcomponents, adding them to the application configuration allows you to secure those subcomponents to help with restricting or delegating access to parts of the application.

When adding subcomponents to the application you are presented with the following configuration settings:

  • Type - This is for specifying the type of application subcomponent that is to be protected. This field is required.
  • Display Name - This is the display name of the application subcomponent. This value appears to users throughout the EmpowerID user interface. This field is required.
  • Name - This is the name you are giving to the application subcomponent. This field is required.
  • Description - This is a description of the application subcomponent. This field is required.
  • Allow Access Requests - Specifies whether the application subcomponent appears in the IT Shop. Items in the IT Shop can be requested and/or claimed by users.
  • Full URL (Exact Match Path) - When protecting Web-based resources, this field allows you to specify an exact URL to be restricted. For example, if you want to restrict access to a specific page such as www.empowerid.com/customers/reports.aspx , you would type www.empowerid.com/customers/reports.aspx here.
  • Starts With Path - When protecting Web-based resources, this field allows you to specify that any URL beginning with a matching beginning path be restricted. For example, if you want to protect all URLs located in the "humanresources/employees" directory, you would type /humanresources/employees here.
  • Pattern Match Path - When protecting Web-based resources, this field allows you to enter a JavaScript regular expression specifying that any URLs matching the expression be restricted. For example, if you want to restrict access to any URLs where payroll exists in the path, you would type payroll here.
For an example of adding Application Subcomponents to an application, see Registering WAM Applications.