ESSO Installation Windows (+3.5.0-enterprise)
Introduction
Soffid ESSO is a full Enterprise Single Sign on solution.
Here you can find the details about the ESSO +3.5.0-enterprise installation.
Supported platforms
Soffid ESSO supports Windows XP or later workstations.
Windows
Interactive installation
To install Soffid ESSO, you must follow these steps:
1. Download the latest available installer version from: Soffid Download Manager.
2. Install as administrator. Once the interactive installation has finished, a message window will notice you:
3. Finally, the system will prompt you to configure Soffid ESSO. This prompt will not be shown on updates or silent installations.
3.1. If you click No, the process finish without configuration
3.2. If you clic Yes, you have to configure the URL of the ESSO server, for which you will have to enter the URL of the Soffid identity provider and obtain its digital certificate.
4. After configuring the system, it's required to reboot the computer.
Configure the ESSO Profile
1. Then you need to configure the ESSO profile in your Identity Provider
For more information you can visit the following page: https://bookstack.soffid.com/books/federation/page/esso
2. And finally, you can configure the Adaptive authentication rules
Silent installation
In order to do a silent installation you can execute the installer from command line with the following parameters:
-q or /q: Quiet installation
-server [url] or /server [url]: to configure the synchronization server URL.
-force or /force: force the installation even if a restart is pending. Not recommended.
-nogina or /nogina: do not modify previos GINA. In this version, this parameter only applies in first installation.
-nopm : to avoid installing Password Manager
To assist in massive deployment scenarios, smart update swich can be set to prevent Soffid to reinstall componenents when the installer version matches the already installed one. This switch does not affect to new installations.
-smartupdate or /smartupdate: Smart update installation
MSI Package
MSI Installation is also available for enterprise customers.
To customaize configuration parameters, the PARAM variable can be used:
Example:
C:\> msiexec /i soffidesso.mssi PARAM="-q -server https://server.domain.local:760 -force -nogina -smartupdate"
Registry configuration entries
The system stores all its settings in the registry branch HKLM\SOFTWARE\Soffid\esso.
The values used are as follows:
Entry |
Default Value |
Description |
LogonEntry |
Logon |
After identifying the user, Soffid ESSO will look at the defined application tree for an application with this key, in order to execute it. |
OfflineEntry |
Offline |
If synchronization servers are not reachable, an alternative script will be execute. This entry contains the key of the application entry point to execute in such a case. |
LocalCardSupport |
2 |
Indicate whether to ask for coordinates card at logon time or not. Four values are allowed. 1 – Coordinates card is required 2 – Coordinates card is required if and only if the user is the owner of one card. 3 – Coordinates card is required if the user is connecting from a not registered device. 4 – Never ask for coordinates card. |
RemoteCardSupport |
1 |
Indicate whether to ask for coordinates card when performing a remote logon. Four values are allowed. 1 – Coordinates card is required 2 – Coordinates card is required if and only if the user is the owner of one card. 3 – Coordinates card is required if the user is connecting from a not registered remote device. 4 – Never ask for coordinates card. |
LocalOfflineAllowed |
1 |
Specifies whether is it permitted to use the workstation when no Soffid synchronization servers are reachable. 1 – It's permitted. 0 – It's forbidden. |
RemoteOfflineAllowed |
0 |
Specifies whether it is permitted to open a terminal server connection against this host when no Soffid synchronization servers are reachable. 1 – It's permitted. 0 – It's forbidden. |
CertificateFile |
root.cer |
Specifies the name of the file containing the Certificate Authority certificate used by the synchronization server (X509 DER format) |
SSOServer |
stsmlin3.caib.es, sticlin2.caib.es |
Comma-separated list of synchronization server names |
seycon.https.port |
760 |
TCP/IP port used for connecting to SEYCON |
debuglevel |
|
Indicates the level of detail of the log: 0 = not recorded anything 1 = Basic Information 2 = Detailed Information |
ginalogFile |
|
Name of the file which records the actions taken by GINA. Do not enable it unless needed. |
ShiroHostName |
|
Do not modify: It contains the name that the host had when it was registered at Soffid server. |
startDisabled |
false |
When it contains the value “true”, Soffid ESSO will be started in disabled (or pause) state. Thus, it will not inject any user name or password on user applications. |
MazingerVersion |
|
It contains the version number of Soffid ESSO. |
sayaka.domain |
|
It contains the Active Directory name the workstations belongs to. |
sayaka.pkcs11% |
(reserved) |
Each crypto card used by the user will have a corresponding entry indicating the name of the PKCS#11 DLL that can handle it. Do not modify. |
Startup process
{{@1306}}
Enforcing browser addons
Modern browsers, apply certain restrictions to automatically enable browser addons without user intervention:
Google chrome
Google chrome extension is automatically enabled, but requires internet access, as Chrome is going to download the addon directly from Chrome store rather than using the locally installed version. This addon is compatible with Microsoft Edge.
Mozilla Firefox
There is a Mozilla firefox group policy to automatically enable any extension. Follow this link to get it: https://github.com/mozilla/policy-templates/releases/download/v1.11/policy_templates_v1.11.zip
You can alternatively, add the following registry key:
HKEY_LOCAL_MACHINE\Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "esso@soffid.com"
Internet Explorer (deprecated)
As well, there is a group policy for Internet Explorer. Please, follow this Microsoft link to get it: https://docs.microsoft.com/es-es/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy
The GUUID of Soffid ESSO group policy is {53252A52-D536-11DF-866D-5B82D67A00D1}{@1307}}