Author Archives: Kyle

Overview

IWA allows for SSO using the Operating System users credentials.

Prerequisites

LDAP users have been successfully populated from AD; if not please refer to the AD Configuration Guide.

Quick reference

  1. setspn -U -S HTTP/%noodle.domain.tld@DOMAIN.TLD %service_account
  2. Add Noodle to "Microsoft Internet Explorer > Tools > Internet Options > Security > Local intranet > Sites > Advanced"
  3. Use https://yourNoodle.tld/SPNEGO.po

Supported configurations

Browsers

Microsoft Internet Explorer, Mozilla Firefox, Google Chrome
Note: Microsoft Edge does not support this feature.

Protocols

Kerberos in SPNEGO in GSS-API (RFC 2478)
Note: NTLM, and NegoExts are not supported.

Endpoints

AD, Azure, and F5
Note: Others may work but have not been tested

Server configuration

Define the appropriate SPN for the account which Noodle is using to bind to LDAP.

  • Within the AD Users and Groups snap-in Navigate to Noodle’s service (admin) account and set the follow attribute:
    1. servicePrincipalName = HTTP/%noodle_url
    2. Apply the change
  • This may also be set via command line:
    1. setspn -U -S HTTP/%noodle.domain.tld@DOMAIN.TLD %service_account
  • For Windows server 2008R2 or older command line instead use
    1. setspn -A HTTP/%noodle.domain.tld %service_account

Note:

  • Logins from the AD Kerberos Server itself are not supported because Windows will attempt NTLM.
  • For local installs, non-primary domains can be used with IWA by placing “IgnoreIWADomain = true” into intranet.conf 

Browser configuration

The next step in enabling IWA requires browser configurations to attempt authentication with the Noodle intranet website.

Once the configuration is in place users will need to access Noodle via the SPNEGO.po URL (ie. https://yourNoodle.tld/SPNEGO.po).

The following section of this guide explains this process.

Microsoft Internet Explorer & Google Chrome

Both of these browsers are configured with Microsoft Internet Explorer in "Tools > Internet Options > Security > Local intranet". 

Note:  If a non-default level is in use be sure “Automatic logon only in Intranet zone” is selected in "the Custom Level".

Next we will need to add the URL of your Noodle instance in "Sites > Advanced".

Mozilla Firefox

Enter “about:config” in the address bar, press “Enter”, and click “I Accept the Risk” when prompted.

Next, search for “auth.trusted”, enter your Noodle URL in the attribute entitled “network.negotiate-auth.trusted-uris” and select OK.

At this point IWA should be fully operational for your Noodle Intranet site!

Overview

SAML allows for SSO using the Web Browser users credentials.

Noodle Prerequisites

If AD is being used, LDAP users should have already been populated within Noodle.

Quick reference

  1. Save your IdP URL and fingerprint in your SP (Noodle)
  2. Use https://yourNoodle.tld/SAML.po in your IdP settings and Web Browser.

Supported IdPs

Onelogin, Okta, and Azure
Note: Contact us for assistance integrating Other IdPs.

Noodle Configuration

In Noodle navigate to “System Tools > Settings > Single Sign-On”

Both URL & fingerprint will be supplied by your IdP vendor. Your IdP may provide an XML file which contains the URL and certificate, to convert the certificate into a SHA-1 fingerprint there are some online SAML tools:

  1. Format Certificate
  2. Calculate Fingerprint

IdP Configuration

Your IdP will require a location to direct SAML responses, use https://yourNoodle.tld/SAML.po.  Noodle will be compatible with the default settings of most IdPs.

onelogin

  1. Navigate to "Administration > Applications > Add App"
  2. Search for "SAML Test Connector (IdP)"
  3. setting tabs
    • Info (all optional)
    • Configuration
      • ACS (Consumer) URL Validator = .*
      • ACS (Consumer) URL = https://yourNoodle.tld/SAML.po
      • the rest can be left blank
    • Parameters
      • Configured by admin
        • NameID (fka Email) = Email
    • Rules (all optional)
    • SSO
      • X.509 Certificate = 2048-bit
        • View details will show the fingerprint
      • SAML Signature Algorithm = SHA-1
      • SAML 2.0 Endpoint (HTTP)
        • This is the URL to save in Noodle
    • Access (all optional)
    • Users (make sure you add some)
    • Privileges (all optional)