Authentication is the act of validating that users are who they claim to be. The most common and simplest example of authentication is using a username and password to access an application.
This article describes how to Enable Authentication. In addition, this document provides steps for configuring Print Portal to automatically sign on by using Windows credentials.
By enabling authentication, we can protect our Print Portal website from anonymous access. Anyone who wants to access the web application will first have to go through to the login page where they can enter their credentials.
To restrict website access by authorization, access Print Portal web page and click on the Administrative Setup hyperlink on top right corner in navigation menu. Then, in the Advanced property page, click to select the Enable Authentication check box available under Security section.
Once enabled, the Sign In form will be served before access to home page both when using HTTP and HTTPS connections to the Print Portal.
Setting up Single Sign-On using Active Directory with ADFS
In addition to the user authentication, you can also use Single Sign-On to automatically authenticate your users in to the Print Portal web page. Single sign-on (SSO) authentication (with AD FS) is now supported in BarTender 2021 and later.
Active Directory Federation Services (ADFS) is a Single Sign-On solution developed by Microsoft. The AD FS role service can be installed on Windows Server operating systems. You can set up Single Sign-On using Active Directory Federation Services (ADFS) to provide your company’s clients, partners or vendors access to multiple resources throughout the organization, (e.g. BarTender Print Portal) with one set of login (username and password) and without being prompted for additional credentials.
This multi-part guide will walk you through configuring Single Sign-On (SSO) using Microsoft AD FS to allows users access Print Portal with a single login.
It is broken down into the following parts:
- Part 1 - Requirements
- Part 2 - Turn on Windows authentication IIS feature in Windows
- Part 3 - Enabling Windows authentication in IIS
- Part 4 - Register Print Portal with AD FS
- Part 5 - Editing the Print Portal Configuration File
Part 1 - Requirements
Make sure that the BarTender Print Portal website uses HTTPS connection. An HTTP binding will not work. ADFS requires that the relying party trust, from where it can expect requests to come from, uses a secure URL. For more information on how to enable HTTPS in Print Portal, click here.
Part 2 - Turn on Windows authentication IIS feature in Windows
*Note: Perform the following on the Print Portal Web Server
For security reasons, the Windows Authentication feature in IIS is turned off by default. To enable
this feature, follow these steps in Windows:
- Right-click the Start button, then click Control Panel.
- In Control Panel, click Programs and Features, then click Turn Windows features on or off.
- Expand Internet Information Services, expand World Wide Web Services, expand Security, then select Windows Authentication.
Part 3 - Enabling Windows authentication in IIS
*Note: Perform the following on the Print Portal Web Server.
Hit Windows key and type “Run” or you can just use a combination of Windows + R to open the same “Run” app. In the Search box, type "inetmgr" and press ENTER.
In Internet Information Services (IIS) Manager in the Connections menu tree (left pane), expand the name of the server that contains the Print Portal web application. Then expand Sites and Default Web Site and click on BarTender. On the /BarTender Home page, double-click the Authentication icon.
Select Anonymous Authentication to Disabled, and set Windows Authentication to Enabled. You can use the Actions menu (right pane) to quickly perform this task.
Part 4 - Register Print Portal with AD FS
*Note: Perform the following on the AD FS Server.
Run the AD FS Management console and open the server's Add Relying Party Trust Wizard from the ADFS Management console.
Click to select the Enter data about the relying party manually option. Click Next.
Enter a display name for the relying party (e.g. Print Portal Login). Click Next.
Do not set an encryption token. Click Next.
Enable support for WS-Federation Passive protocol, and then enter the root URL of Print Portal as the relying party protocol URL. The relying party URL should be the URL where AD FS sends the SAML response after authenticating the user. Click Next.
Note: This must be an HTTPS URL.
Click Next through the rest of the wizard and Close at the end.
In the left pane of the AD FS Management console, select Relying Party Trusts. Then, in the center pane, select the relying party trust that you created for Print Portal. Next, in the right pane, click Edit Claim Issuance Policy.
In the Add Transform Claim Rule Wizard, leave the default Send LDAP Attributes as Claims template selected, and click Next. Select Add Rules from the Edit Claim Rules dialog.
Add a rule mapping the SAM-Account-Name LDAP attribute to the Name ID outgoing claim. Click Finish.
Part 5 -Editing the Print Portal Configuration File
- Stop the application pool:
- Open the IIS Manager.
- In the Connections pane, expand the server node and click Application Pools to display all Application Pools.
- On the Application Pools page, select the BPP_AppPool.
- Click Stop to stop the application pool.
- Make sure that the website is configured to use an HTTPS binding (See above - Part 1 - Requirements).
- Edit the application's settings.xml file:
- Go to the main BarTender Print Portal Installation Folder. By default is is: "C:\inetpub\wwwroot\BarTender"
- Find and open the file the "settings.xml" in this directory.
- Edit the file as follows:
- In the Authentication node, make sure that Enabled is set to "true".
- Change Mode to "ADFS".
- Provide the metadata address that corresponds to the ADFS server:
The AD FS web service metadata endpoint. Use a valid, accessible, and complete URI, in the following format:
Replace <AD FS> with an accessible AD FS fully qualified domain name of the federation service.
- Enter the root Print Portal URL in the RelyingPartyURL field. This URL must exactly match the URL that you configured in the AD FS Add Relying Party Trust wizard.
- Start the BPP_AppPool application pool.
If you are using Mozilla Firefox as your browser, you need to make a configuration change to automatically pass Windows credentials. For more information, click here.