OpenAM12: IIS 7 Web Policy Agent

Posted on October 19, 2016 by Jianming Li

Contents

  1. Install IIS 7
  2. Create IIS Agent Profile
  3. Install OpenAM Agent
    1. Interactive Install
    2. Silent Install
  4. Web Site Authentication
  5. Test
  6. Agentadmin Commands
    1. List Web Sites
    2. List Installed Agents
    3. Disable Agent
    4. Enable Agent
    5. Remove Agent
    6. Remove All Agent
  7. References
 

Install IIS 7

* OS: Windows 2008R2
* Add roles:
Web Server (IIS) with:
Application Development
* Add to hosts file:

192.168.1.7 openam.my.com
192.168.1.35 iis7.my.com

Create IIS Agent Profile

* Login OpenAM
* Go to : Access Control > / (Top Level Realm) > Agents > Web tab
* Add a new Web agent named IIS7:
– Note that you need to specify port number in both Server and Agent URL even for default ports 80 and 443

openam_iisagent_profile_1

* Select new agent and enable SSO Only Mode
* If web server is behind a load balancer then
– Go to Advanced tab
– Select all Load Balancer options

Install OpenAM Agent

* Download IIS Web Policy Agent, e.g. IIS_WINNT_64bit_4.0.0.zip, from ForgeRock download site.
* Unzip iis_agent folder to, e.g. C:\prog, directory
* For SSL support (e.g. OpenAM uses HTTPS),
– Download pre-compiled openssl for Windows, e.g. from here, e.g. openssl-1.0.2k-x64_86-win64.zip.
– Copy following Openssl dll files:
libeay32.dll
ssleay32.dll
to:
C:\Windows\SysWOW64 (for 32 bit Openssl)
C:\Windows\system32 (for 64 bit Openssl)
– Run iisreset in order for IIS to pickup Openssl dll files
* Create a new password file named iis7pass.txt. Enter password in the file, e.g. Wx1
* Open a privileged command window
* Go to C:\prog\iis_agent\bin

Interactive Install

 
agentadmin.exe --i
 
Installation parameters:
 
   OpenAM URL: http://openam.my.com:8080/openam
   Agent URL: http://iis7.my.com:80
   Agent Profile name: IIS7
   Agent realm/organization name: /
   Agent Profile password source: C:\prog\iis_agent\iis7pass.txt
 
Confirm configuration (yes/no): [no]: yes
Validating...
Validating... Success.
Cleaning up validation data...
Creating configuration...
Installation complete.

* Don’t forget iisreset

Silent Install

 
# Find which site to install agent into
agentadmin.exe --n
IIS Server Site configuration:
 
Number of Sites: 1
 
id: 1   name: "DEFAULT WEB SITE"
 
# Silent install
agentadmin.exe --s "1" "http://openam.my.com:8080/openam" "http://iis7.my.com:80" "/" "IIS7" "C:\prog\iis_agent\iis7pass.txt" --changeOwner --acceptLicence

* Don’t forget iisreset

Web Site Authentication

* Login IIS server
* Open IIS Manager
* Select the web site
* Enable anonymous authentication type for the site
* Disable all other authentication types for the site

Test

* Point browser to agent URL, e.g. http://iis7.my.com:80
* You’ll be prompted to login OpenAM
* Once logged in, you’re redirected to agent site

Agentadmin Commands

List Web Sites

 
agentadmin.exe --n
IIS Server Site configuration:
 
Number of Sites: 1
 
id: 1   name: "DEFAULT WEB SITE"

List Installed Agents

 
agentadmin.exe --l
 
OpenAM Web Agent configuration instances:
 
   id:            agent_1
   configuration: C:\prog\iis_agent\bin\..\instances\agent_1
   server/site:   2

Disable Agent

* This does not work in version 4.0.0

agentadmin.exe --d agent_1

Enable Agent

 
agentadmin.exe --e agent_1
 
Enabling agent_1 module configuration in site 2... Done.

Remove Agent

 
agentadmin.exe --r agent_1
 
Warning! This procedure will remove agent_1 configuration from IIS Site 2.
 
Continue (yes/no): [no]: y
 
Removing agent_1 configuration...
 
Removing agent_1 configuration... Done.

Remove All Agent

 
agentadmin.exe --g

References

* Documentation
* Users Guide

This entry was posted in IIS, openam and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.