Setting up the Remote Windows Identity Provider

Through the Remote Windows Identity Provider application, EmpowerID allows organizations to extend authentication to partner organizations without requiring that partner to have a Federation server or be licensed to use EmpowerID. The EmpowerID Remote Identity Provider is a small lightweight component that can be installed on a remote IIS server in AD domains where EmpowerID is not installed. The Remote IdP works by allowing users in external domains to browse to a page on a local Web server that authenticates them against their on-premise Active Directory and then redirects them to an external EmpowerID site with a SAML claim containing their Active Directory username. The external EmpowerID site validates that the information was signed with the appropriate trusted certificate and then authenticates the user as the Person owning the Active Directory user account. Once authenticated, EmpowerID seamlessly forwards the user to the requested destination Service Provider application they requested when browsing their local Web page for authentication. This Service Provider application could be the EmpowerID Web site or another SSO application, such as, depending on how the SSO connection is configured. If the Service Provider application specified is not EmpowerID, the necessary method for performing single sign-on into that system will be invoked.

When setting up the IdP connection, you have two SSO flow options: IdP-initiated or SP-initiated. The end result is the same with the difference being how EmpowerID initiates the SSO session.
  • With IdP-initiated SSO, the EmpowerID Remote IdP (the IdP) generates a SAML response for the user and posts it to the SP, where it is verified. Once verified the user gains access to their resources.
  • For SP-initiated SSO, a SAML request is sent from the SP to the EmpowerID Remote IdP (the IdP). In response to the request, the EmpowerID Remote IdP (the IdP) generates a SAML response and posts it to the SP. If the response is valid, the user gains access to their resources.

This topic describes how to configure an IDP connection for the Remote Windows Identity Provider and is divided into the following activities:

To create an IDP Connection for the Remote Windows Identity Provider

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to the Application Management page by expanding Applications and clicking Manage Applications.
  2. From the Actions pane, click the Create SAML Connection action link.
  3. From the General tab of the Connection Details form that appears, do the following:
    1. Select Identity Provider as the SAML Connection Type.
    2. Select Default IdP Connection Settings from the SAML Application Template drop-down.
    3. Leave the External Identity Provider URL field set to about:blank.
    4. Type an appropriate name (without spaces), display name, and optionally a description for the connection in the Name, Display Name and Description fields, respectively.
    5. Type the connection information in the User Entered URL field. The value you enter depends on how you want the SSO session to be initiated. For IdP-initiated SSO, enter a URL formatted as follows:
      If you want the SSO session to be SP-initiated, enter a URL formatted as follows:
    6. In the below image, the User Entered URL is IdP-initiated.

      If you are using EmpowerID as the identity provider for a third-party service provider, such as Salesforce, the third-party service provider application must be registered in EmpowerID.
    7. Scroll to the Account Information section of the form and tick Create a New Account Directory. This tells EmpowerID to create a special type of account store for the connector that is internal to EmpowerID, known as a "tracking-only" account store. A tracking-only account store account exists as a container within EmpowerID for storing user and group records for SSO or attestation without making a connection to the external directory associated with the application. In this way, when users in the external domain attempt to access a service provider via EmpowerID, EmpowerID checks to see if that user has an account in the associated tracking-only account store.
    8. Scroll to the Certificates section of the form and from the Verifying Certificate drop-down select the certificate for verifying the SAML assertion sent to EmpowerID by the EmpowerID Remote IdP. This certificate must have the public key for the certificate used by the remote server to sign the SAML assertions being sent to EmpowerID.
    9. Leave all other fields as is and click Save.

To install the Remote Windows Identity Provider

  1. On the remote server (not the EmpowerID server), open the installer for the Remote Windows Identity Provider you received from EmpowerID and click Next.
  2. Accept the terms of the License Agreement and click Next.
  3. Choose your installation path and click Next.
  4. Click Install.
  5. When the command window appears, press any key to continue.
  6. Once the installation completes, click Finish.
  7. From the EmpowerID Remote IDP Configuration window that appears, do the following:
    1. In the Remote EmpowerID Web Site URL field, type the URL to the EmpowerID Web server hosting the Remote Identity Provider connection, being sure to use Hypertext Transfer Protocol over Secure Socket Layer. The URL should look similar to "," where is the FQDN or resolvable DNS alias of the EmpowerID Web server.
    2. Type the appropriate information for the Application Identity in the Username, Password and Web Site fields.
    3. No special permissions are needed for the application identity.
    4. Select SAML as the Response Type.
    5. Click the ellipses (...) button to the right of the Signing Certificate field and select the certificate that will be used to sign the SAML assertions sent to the EmpowerID Web server. The verification certificate set for the Remote Identity Provider SSO connection on the EmpowerID server must have the public key for this certificate, as it is used to verify that the assertions are coming from the remote server.
    6. In order for the Remote IDP Configurator to locate the certificate, it must be in the Personal certificate store on the local server.

      When you have completed the above, the EmpowerID Remote IDP Configuration window should look similar to the following:

    7. Click Apply and then click OK to close the Success message box.
    8. Close the EmpowerID Remote IDP Configuration window.

To test the Remote Windows IdP connection

  1. On the remote machine, prompt for Windows credentials by opening a browser and navigating to the URL you specified for the Remote Identity Provider connection on the EmpowerID server.
  2. Type the credentials of a remote user in the Windows Authentication dialog and click OK.
  3. This starts the Login workflow and directs your browser to the EmpowerID login check, which asks if you already have an EmpowerID login. Since this is your first login as the remote user click No.
  4. In the Create User Account Form that appears, fill in the required First Name and Last Name fields, as well as any other fields for which you have information and click Submit.
  5. Click OK to close the submission confirmation message.
  6. Log in to the EmpowerID Web application as an administrator and from your dashboard click the link from an anonymous user requesting an EmpowerID Person account.
  7. From the Task Details page that appears, select Approve.
  8. Type a comment for the approval and then click OK.
  9. Once the process completes log out of the Web application.
  10. From the remote server, navigate your browser to the URL for the Remote Identity Provider connection on the EmpowerID server and when prompted enter the Windows credential for that person and click OK.
  11. Answer the Password Self-Service Reset questions and click Submit.
  12. EmpowerID logs you in to the specified service provider (in this case, the EmpowerID Web application) as the remote user.