-
Notifications
You must be signed in to change notification settings - Fork 28
Authentication options
The Lithnet LAPS web app supports the following authentication protocols
- Windows authentication
- WS-Federation (use with ADFS)
- OpenID Connect
The authentication mechanism used is controlled by the web.config file located in the root of the application folder.
The LAPS web app is configured to use Windows authentication by default.
You must configure the IIS web site to disable anonymous authentication, and enable integrated windows authentication.
In the <appSettings> element of the web.config file, ensure that the owin:appStartup key is set as below, and all other owin:appStartup values are commented out.
<add key="owin:appStartup" value="Lithnet.Laps.Web.Startup.ConfigureWindowsAuth" />If you have an ADFS server, you can use that to authenticate users.
You must configure the IIS web site to enable anonymous authentication, and disable integrated windows authentication.
In the <appSettings> element of the web.config file, ensure that the owin:appStartup key is set as below, and all other owin:appStartup values are commented out.
<add key="owin:appStartup" value="Lithnet.Laps.Web.Startup.ConfigureWsFederation" />
<add key="ida:wtrealm" value="https://laps.lithnet.local/" />
<add key="ida:metadata" value="https://adfs.lithnet.io/FederationMetadata/2007-06/FederationMetadata.xml" />Configure the parameters as follows
| Parameter | Description |
|---|---|
ida:wtrealm |
This is the reply URL that you will configure in ADFS. Replace 'laps.lithnet.local' with the correct hostname for your server |
ida:metadata |
Provide the metadata URL for your ADFS instance |
Your ADFS server must be configured to issue the User Principal Name claim.
You must configure the IIS web site to enable anonymous authentication, and disable integrated windows authentication.
In the <appSettings> element of the web.config file, ensure that the owin:appStartup key is set as below, and all other owin:appStartup values are commented out.
<add key="owin:appStartup" value="Lithnet.Laps.Web.Startup.ConfigureOpenIDConnect" />
<add key="oidc:ClientId" value="your-client-id" />
<add key="oidc:ClientSecret" value="your-client-secret" />
<add key="oidc:RedirectUri" value="https://laps.lithnet.local/" />
<add key="oidc:Authority" value="https://lithnet.okta.com" />Configure the parameters as follows
| Parameter | Description |
|---|---|
oidc:ClientId |
The client ID issued to you by your OpenID Connect provider |
oidc:ClientSecret |
The client secret issued to you by your OpenID Connect provider |
oidc:RedirectUri |
The URL the OpenID Connect provider should redirect back to once the user has logged in. Replace laps.lithnet.local with your server hostname |
oidc:Authority |
The URL of the OpenID Connect provider |
The OpenID Connect provider must support issuing "id_token" in a hybrid authentication request, and that must contain a 'upn' claim.