Entrust Identity as a Service™ Technical Integration Guides
Click here to see this page in full context

Report errors or omissions

  1. Home >
  2. Legacy Entrust IdentityGuard Integration Guides >
  3. Integrate Entrust IdentityGuard ISAPI Filter

Integrate ISAPI Filter with Identity as a Service

The ISAPI Filter solution uses Entrust IdentityGuard to provide strong second-factor authentication to Microsoft Outlook Web Access (OWA), Remote Desktop Web Access (RD Web Access), Integrated Windows Authentication (IWA), SharePoint, and generic TMG forms-based authentication types. The solution is made up of two components: the filter component and the authentication application component.

You can use the ISAPI Filter with the Entrust IdentityGuard authentication methods to allow only valid users access to a Web application. See the Entrust ISAPI Filter 12.0 SP2 Technical Integration Guide for more information.

Users logging in to ISAPI must complete two authentication challenges. First-factor authentication requires one of the ISAPI default authentication methods (such as entering an ISAPI account password). Second-factor authentication requires completing an Identity as a Service authentication challenge.

To support this, the Identity as a Service resource rule for this application must have Skip Password selected as the first-factor authentication type for every Authentication Decision level. The following authenticators are supported for second-factor authentication:

One-time password

Grid

Temporary Access Code

Knowledge-based authentication

Note: This integration guides provides the instructions to add a legacy version of the Entrust IdentityGuard ISAPI Filter to Identity as a Service. For the new Identity as a Service ISAPI Filter that includes an installer to install the Identity as a Service plug-in, see the instructions in Integrate IDaaS ISAPI Filter.

Add ISAPI Filter

In Identity as a Service, do the following:

Create a gateway.

Configure the gateway.

Add a gateway instance.

Export the Gateway SSL certificate.

Note: See the section Manage Gateways in the Administrator Help for instructions if you need to complete these steps.

Copy the Subject Distinguished Name (SDN) to a separate location. You need it in step 6.

On the Entrust IdentityGuard ISAPI Filter Application Server, if the domain name in the gateway instance fails, add the IP address of the appliance and the domain name to the hosts file of the Entrust IdentityGuard ISAPI Filter application. The hosts file is located at: C:\Windows\System32\drivers\etc\hosts.

Import the gateway SSL certificate into the Entrust IdentityGuard ISAPI Filter server certificate storeImport the gateway SSL certificate into the Entrust IdentityGuard ISAPI Filter server certificate store.

Access your computer's Search tool.

Enter or select Run. The Run dialog box appears.

Enter mmc and click OK. The Console Root page appears.

Select File > Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.

Select Certificates from the Available snap-ins panel and click Add. Another pop-up window appears.

Select Computer account when prompted, and click Next.

Select Local Computer.

Click Finish and OK.

Expand the Certificates field and the Trusted Root Certificates folder in the left Console Root panel.

Right-click the Certificates folder. Select All Tasks > Import. The Certificate Import Wizard appears.

Click Next, browse to the certificate previously downloaded, and open the file.

Click Next, Next, and Finish to complete the import. The certificate details appear in the console.

 Add the following tag to the <IdentityGuardServer> section in the IdentityGuardAuthAppConfiguation.xml file to point the ISAPI Filter to your Identity as a Service domain:

<AuthenticationService url=” https://domain:8443/IdentityGuardAuthService/services/AuthenticationServiceV11” />

See the Entrust IdentityGuard ISAPI Filter Technical Integration Guide for more details.

Open Windows Services on the computer and restart the World Wide Web Publishing Service.

Add Entrust IdentityGuard ISAPI Filter to Identity as a Service.Add Entrust IdentityGuard ISAPI Filter to Identity as a Service.

Add Entrust IdentityGuard Desktop for Windows to Identity as a Service

Click > Security > Applications. The Applications Lists page appears.

Click Add. The Select an Application Template page appears.

Do one of the following:

Select Identity as a Service Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.

- or -

In the Search bar, enter a search option to filter for the application you want to add to IDaaS.

Click ISAPI Filter. The Add ISAPI Filter page appears.

Optional: Modify the Application Name or Application Description

Optional. Add a custom application logo.

Click next to Application Logo. The Upload Logo dialog box appears.

Click to select an image file to upload.

Browse to select your file and click Open. The Upload Logo dialog box reappears showing your selected image.

If required, resize your image.

Click OK.

Click Next. The Setup page appears.

Enter the host name or the IP address of the ISAPI Filter server.

From the Select IdentityGuard agent drop-down list, select the gateway instance containing the Entrust IdentityGuard agent.

Click Submit.

Add a resource rule.

Note: For the Authentication Decision settings, set the first-factor to Skip first-factor for low, medium, and high risk.