Integration Note SSO to Dynamics CRM 2011 PingFederate 6.11 Preview Integration Note SSO to Dynamics CRM 2011 PingFederate Integration Note SSO to Dynamics CRM 2011 © 2014 Ping Identity Corporation. All rights reserved. About Integration Notes PingFederate software developers, specialty teams, and third parties periodically submit supplemental documentation to give our customers insight into configuration, deployment, integration, or use cases that are not specifically covered by the core product documentation. Disclaimer This document is provided for informational purposes only, and the information herein is subject to change without notice. Ping Identity does not provide any warranties and specifically disclaims any liability in connection with this document. Note that Ping Identity may not provide support for any sample configurations provided in this document. The variability inherent among security environments prevents full testing and support for all possible platform configurations. If you need special assistance or would like to inquire about implementation or support programs, please contact Ping Identity Support (www.pingidentity.com/support). Document Lifetime Ping Identity may occasionally update PingFederate online documentation between releases of the related software. Consequently, if this PDF was not downloaded recently, it may not contain the most upto-date information. Please refer to the online documentation at documentation.pingidentity.com for the most current information. From the Web site, you may also download and refresh this PDF if it has been updated, as indicated by a change in this date: May 15, 2014. Contact Information Ping Identity Corporation 1001 17th Street, Suite 100 Denver, CO 80202 U.S.A. Phone: 877.898.2905 (+1 303.468.2882 outside North America) Fax: 303.468.2909 E-mail: [email protected] Web Site: www.pingidentity.com Ping Identity – Proprietary: not for general publication Page 2 PingFederate 6.11 Preview Integration Note SSO to Dynamics CRM 2011 Introduction The purpose of this document is to guide a PingFederate and Microsoft Dynamics CRM 2011 (Dynamics CRM) administrator through the configuration of both products so that federated users can log on to Dynamics CRM using claims-based authentication. The document outlines how to configure an SP connection compatible with Dynamics CRM within PingFederate and how to configure Dynamics CRM to consume the federation metadata provided by the SP connection. Note: Knowledge of Dynamics CRM is assumed as well as familiarity with PingFederate. Prerequisites The following must be installed and configured in order to complete the configuration: • Install (in your JDK) the Unlimited Strength JavaTM Cryptographic Extension (JCE) Policy Files in order to use the AES-256 encryption algorithm used by Dynamics CRM. • Install PingFederate 6.11 or higher. Note: If you need to support active clients, such as native desktop applications, for use with Dynamics CRM, ensure that PingFederate is installed with a license that enables the WSTrust Security Token Service (STS). • Obtain two certificates for use by PingFederate and Dynamics CRM to establish trust between the two services. The first certificate is an encryption certificate that encrypts data between PingFederate and Dynamics CRM. The second certificate is a signing certificate used to digitally sign the SAML assertions returned from PingFederate. • Configure a connection to the Active Directory LDAP data store (see Configuring an LDAP Connection). • Configure the HTML Form IdP Adapter with an LDAP Username Password Credential Validator (see Configuring the HTML Form IdP Adapter). • If you are configuring the connection for active federation, install and configure the Username Token Translator 1.1 (or higher) to use LDAP bind as the processing scheme with the Active Directory LDAP data store created above. The Translator plug-in is available from the Downloads page at pingidentity.com. Note: For PingFederate 7.2 or higher, Username Token Processor is part of the product and does not require a separate download or installation. • For this release, Microsoft Dynamics CRM 2011 for active login with Microsoft OfficeTM Outlook versions 2007 or later were tested. PingFederate Configuration Configure PingFederate to include an SP Connection (see Managing SP Connections). Use the following steps to create the connection, accepting default settings where not specified. Ping Identity – Proprietary: not for general publication Page 3 PingFederate 6.11 Preview Integration Note SSO to Dynamics CRM 2011 To configure PingFederate: 1. Follow the configuration steps for a new SP Connection, including the following settings: a. On the Connection Type screen, select the Brow ser SSO Profiles checkbox and select WS-Federation as the Protocol. If you are configuring the connection for active federation (for native client cases such as the Dynamics CRM plug-in for Outlook), select the WS-Trust STS checkbox. You must select SAM L 1.1 as the Default Token Type. b. On the General Info screen, enter the CRM Web site as the Partner’s Realm – for example, https://ping.crm.com/default.aspx, and enter a Connection Name. c. On the Brow ser SSO screen, click Configure Brow ser SSO. d. On the Assertion Creation screen, click Configure Assertion Creation. e. On the Identity M apping screen, select User Principal Name. f. On the Attribute Contract screen, extend the contract by adding upn and selecting http://schemas.xmlsoap.org/ws/2005/05/identity/claims as the Attribute Name Format . 2. Configure the IdP Adapter: a. Click M ap New Adapter Instance and select the HTM L Form IdP Adapter as the Adapter Instance. b. On the Assertion M apping screen, select the option button to retrieve additional attributes from a data store including options to use alternate data stores and/or a failsafe mapping. c. Click Add Attribute Source and configure the LDAP data source, adding userPrincipalName as an additional attribute and including a filter value such as sAM AccountName=${username}. d. On the Attribute Contract Fulfillment screen, select Text as the Source for SAM L_SUBJECT and enter an unused value. Select LDAP as the Source for upn and select userPrincipalName as the value. e. On the Failsafe Attribute Source screen, select the Abort the SSO Transaction option. 3. Configure Protocol Settings by clicking Configure Protocol Settings on the Protocol Settings screen and entering the CRM Web site as the Endpoint URL – for example, https://ping.crm.com/default.aspx. 4. Configure WS-Trust STS: Note: If you are not using active federation (for native client cases such as the Dynamics CRM plug-in for Outlook), then you do not need to configure WS-Trust STS settings: skip ahead to step 5. If the task bar is showing WS-Trust STS, return to the Connection Type screen and clear the WS-Trust checkbox. Then go to the Credentials screen. a. Click Configure WS-Trust STS and enter the base URL of your Dynamics CRM Web site on the Protocols Settings screen – for example, https://ping.crm.com, and select the Generate Key for SAM L Holder of Key Subject Confirmation M ethod Ping Identity – Proprietary: not for general publication Page 4 PingFederate 6.11 Preview Integration Note SSO to Dynamics CRM 2011 checkbox. b. When configuring token creation, extend the attribute contract on the Attribute Contract screen by adding upn and selecting http://schemas.xmlsoap.org /ws/2005/05/identity/claims as the Attribute Namespace. 5. Configure the IdP Token Processor Mapping: a. Click M ap New Token Processor Instance and select a configured Username Token Processor as the Token Processor Instance. b. On the Attribute Retrieval screen, select the option to retrieve additional attributes from data stores to fulfill the attribute contract. c. On the Attribute Sources & User Lookup screen, configure the LDAP data store that will return the upn attribute for the corresponding user, adding userPrincipalName as an additional attribute and including a filter value such as sAM AccountName=${username}. d. On the Attribute Contract Fulfillment screen, select Text as the Source for SAM L_SUBJECT and enter an unused value. Select LDAP as the Source for upn and select userPrincipalName as the value. e. Configure issuance criteria, if necessary (see Specifying Issuance Criteria (Optional) or more information). 6. Configure credentials: a. Click Configure Credentials, select the Signing Certificate you want to use, and select RSA SHA1 or RSA SHA256 as the Signing Algorithm on the Digital Signature Settings screen. Note: This certificate can be self-signed and can be exported for use by the Dynamics CRM server. b. If the Dynamics CRM server is configured for token signature validation, then export the signing certificate. Note: You will import the certificate into the Dynamics CRM server (see step 2 under the Dynamics CRM Configuration section). • To share the signing certificate with the Dynamics CRM server, click M anage Certificates. • Click Export on the Manage Digital Signing Certificates screen for the signing certificate you want to export. • On the Export & Summary screen, click Export . Transfer the certificate to the Dynamics CRM server and import it into the appropriate Certificate store using the Microsoft Management Console Certificates Snap-in. See Enabling ADFS 2.0 Token Signing for more information on token signature validation (technet.microsoft.com/en-us/library/gg188574.aspx). • Click Done until you return to the Digital Signature Settings screen. c. If WS-Trust was configured, on the Select XML Encryption Certificate screen, select Ping Identity – Proprietary: not for general publication Page 5 PingFederate 6.11 Preview Integration Note SSO to Dynamics CRM 2011 AES-256 as the Block Encryption Algorithm and select the encryption certificate for Dynamics CRM claims encryption from the drop-down list. This is the same encryption certificate used in step 3 of the Dynamics CRM Configuration section. Note: If AES-256 is unavailable, make sure the high-level encryption libraries were imported correctly. 7. Save and activate the connection on the Activation & Summary screen. Dynamics CRM Configuration Use the following steps to configure Dynamics CRM to consume the federation metadata provided by the PingFederate SP connection. 1. Access the Dynamics CRM server. 2. If Dynamics CRM is configured for token signature validation, run mmc.exe and attach the Certificates (Local Computer) Snap-in. Import the signature-verification certificate used in PingFederate or the certificate’s CA certificate into the appropriate certificate store. See Enabling ADFS 2.0 Token Signing for more information on token signature validation (technet.microsoft.com/enus/library/gg188574.aspx). 3. If WS-Trust STS was configured for the CRM connection in PingFederate, import the encryption certificate used in PingFederate (see step c of step 6 in the PingFederate Configuration section) along with the certificate’s private key into the Dynamics CRM server’s personal certificate store. The Dynamics CRM server searches this store when configuring claims-based authentication. 4. On the Dynamics CRM server, run the M icrosoft Dynamics CRM Deployment M anager. 5. Select Configure Claims-based Authentication and click Next . 6. Enter the following URL for the Federation metadata URL and click Next: https://<pf_host>:<pf_port>/pf/federation_metadata.ping?PartnerSpId=<SP ConnectionID>&forceIssuedTokenPolicy where: <pf_host> is the host name or IP address where PingFederate is running. <pf_port> is the port number for PingFederate. <SPConnectionID> is the ID for the PingFederate SP Connection you configured above – for example, https://ping.crm.com/default.aspx Note: If an error appears stating that the Federation URL is unavailable, add PingFederate’s server certificate (signed by the domain controller) to the Dynamics CRM server to establish trust with PingFederate’s SSL server certificate. 7. When prompted for the encryption certificate, use the same certificate shared with PingFederate (see step c of step 6 in the PingFederate Configuration section, above). Ping Identity – Proprietary: not for general publication Page 6 PingFederate 6.11 Preview Integration Note SSO to Dynamics CRM 2011 8. Save the configuration and run iisreset from the command line so the Dynamics CRM server recognizes the changes. Changing Signing Certificates The Dynamics CRM server may cache the signing certificate, which can cause trust errors when changing the PingFederate signing certificate. Reconfiguring claims-based authentication is recommended when you change the PingFederate signing certificate. After changing the signing certificate in the Dynamics CRM connection, do the following in the Dynamics CRM server: 1. In the M icrosoft Dynamics CRM Deployment M anager, disable claims-based authentication. 2. Run iisreset from the command line on the Dynamics CRM Web server. 3. In the M icrosoft Dynamics CRM Deployment M anager, reconfigure claims-based authentication. 4. In the M icrosoft Dynamics CRM Deployment M anager, if previously enabled, reconfigure Internet-Facing Deployment. 5. Run iisreset from the command line on the Dynamics CRM Web server. Known Issues • If you configure Internet-Facing Deployment in the Dynamics CRM Deployment M anager, you can ignore the following warning and still successfully complete the configuration: “The Discovery Web Service could not be accessed. The domain is unavailable or does not exist.” • Active login for Dynamics CRM Outlook clients is supported only when the claims provider for the Dynamics CRM Outlook client is the same claims provider as the Dynamics CRM server. This means all Outlook client computers need to be configured to login to the SAML claims provider (which is the default behavior). In other words, the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MSCRMClient\HomeRealmUrl registry key on the Outlook client computer must not be set. See Configure Microsoft Dynamics CRM for Outlook to use Claims-based Authentication for more information (technet.microsoft.com/en-us/library/gg188615.aspx). Ping Identity – Proprietary: not for general publication Page 7
© Copyright 2024 ExpyDoc
