Snow Software License Manager is a great tool to manage your Software Assets (it's in the name), see where the risks are and so on. Authentication can be don to a build-in user database or to your Active Directory, but what if you wnt to implement MFA (Multi Factor Authentication)?

Snow is capable to use several third party Federated Authentication providers, such as ADFS, Azure AD or SalesForce, but the description of how to lacks some clearance how to do this. I've been strugling to implement the ADFS integration for some time and at last I secceeded. This manual should help you to do the basic settings.

The manual is for a SSL secured Snow url!

  • First of all, follow the manual provided by Snow. It will help you to understand some settings but won't get you to the end, Follow the steps below to get it working!
  • I'll assume to be snow-url the url you'll access the Snow License Manager and adfs-url the url you'll have your local ADFS server(s) running
  • Create a new snow.saml.config.xml in the SLM's Web directory with the following content:
    • <?xml version="1.0"?>
    •     <Configuration>
    •         <ServiceProvider Name="https://snow-url"
    •           AssertionConsumerServiceUrl="https://snow-url/federatedsecurity/saml/signin"
    •           LocalCertificateThumbprint = "certificate-thumbprint"
    •        />
    •     <Profiles>
    •         <Profile Name="http://adfs-url/adfs/services/trust"
    •                                SignAuthnRequest="false"
    •                                SignLogoutRequest="false"
    •                                WantSAMLResponseSigned="false"
    •                                WantAssertionSigned="false"
    •                                WantAssertionEncrypted="false"
    •                                WantLogoutResponseSigned="false"
    •                                SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    •                                SingleSignOnServiceUrl="https://adfs-url/adfs/ls/"
    •                                SingleLogoutServiceUrl="https://adfs-url/adfs/ls/?wa=wsignout1.0"
    •                                PartnerCertificateFile="Certificates\adfs-signing.cer"
    •                                />
    •         </Profiles>
    • </Configuration>
  • Some caveats:
    • The certificate-tumbprint at LocalCertificateThumbprint  is the thumbprint used for the certificate used to secure your Snow url
    • The PartnerCertificateFile is the signing certificate of the ADFS server(s)
  • Copy the ADFS signing certificate to the Certificates subfolder relative to the SLM's Web folder
  • Make changes to the web.config, appSettings part, in the SLM Web folder (make a backup of this file for rollback purposes)
    • <add key="UseWindowsAuthentication" value="false" />
    • <add key="UseFederatedAuthentication" value="true" />
    • <add key="SamlConfigFile" value="snow.saml.config.xml" />
  • Export the XML file used to create the ADFS trust using the following URL:
    • https://snow-url/federatedsecurity/saml/export
    • Change SingleLogoutService, SingleLogoutService and AssertionConsumerService to reflect your own Snow url as described in the manual:
      • Change both TODO: URL of SLO service endpoint entries to https://snow-url/federatedsecurity/saml/signout
      • Change TODO: URL of assertion consumer service endpoint to https://snow-url/federatedsecurity/saml/signin
  • Import the altered XML into the ADFS configuration to create a Relying Party Trust and add the correct Claim Issuance Policy. Add a ‘Send LDAP Attributes as Claims’ Claim rule, attribute store Active Directory, with the following claim types:
    • User Principal Name ► Name ID
    • E-Mail-Addresses ► E-Mail Address
    • Given-Name ► Given Name
    • Surname ► Surname
  • If requested, add the appropriate ADFS Access Control Policy to enforce MFA
  • Reset IIS using an elevated promt and iisreset
  • Add a new user to Snow using Snow Management and Configuation Center (SMACC). The User Name thould be the UPN of the AD user.

After these steps Snow with SSO and MFA should work, at least it does for me.

Local login is still possible via https://snow-url/pages/login.aspx?ForceLocalLogon=true

Important!

Be aware of the codepage you use saving the snow.saml.config.xml and web.config! If saved with the wrong codepage SSO & MFA won't work. If this is the case, copy the content of these files to a new Notepad (or Notepad++) windows and save it with the same names in a different location. If created, rename the old files and copy the newly created ones.

No comments

The author does not allow comments to this entry