Authentication options
The Lithnet LAPS web app supports the following authentication protocols
- Windows authentication
- WS-Federation (use with ADFS)
- OpenID Connect
The authentication mechanism used is controlled by the web.config file located in the root of the application folder.
The LAPS web app is configured to use Windows authentication by default.
You must configure the IIS web site to disable anonymous authentication, and enable integrated windows authentication.
In the <appSettings> element of the web.config file, ensure that the owin:appStartup key is set as below, and all other owin:appStartup values are commented out.
<add key="owin:appStartup" value="Lithnet.Laps.Web.Startup.ConfigureWindowsAuth" />If you have an ADFS server, you can use that to authenticate users. For step-by-step instructions, see the guide at Setting up authentication with Active Directory Federation Services
You must configure the IIS web site to enable anonymous authentication, and disable integrated windows authentication.
In the <appSettings> element of the web.config file, ensure that the owin:appStartup key is set as below, and all other owin:appStartup values are commented out.
<add key="owin:appStartup" value="Lithnet.Laps.Web.Startup.ConfigureWsFederation" />
<add key="ida:wtrealm" value="https://laps.lithnet.local/" />
<add key="ida:metadata" value="https://adfs.lithnet.io/FederationMetadata/2007-06/FederationMetadata.xml" />Configure the parameters as follows
| Parameter | Description |
|---|---|
ida:wtrealm |
This is the reply URL that you will configure in ADFS. Replace 'laps.lithnet.local' with the correct hostname for your server |
ida:metadata |
Provide the metadata URL for your ADFS instance |
Your ADFS server must be configured to issue the User Principal Name claim.
If you have an OpenID Connect provider you can authenticate users with that service. For step-by-step instructions, see our guides
You must configure the IIS web site to enable anonymous authentication, and disable integrated windows authentication.
In the <appSettings> element of the web.config file, ensure that the owin:appStartup key is set as below, and all other owin:appStartup values are commented out.
<add key="owin:appStartup" value="Lithnet.Laps.Web.Startup.ConfigureOpenIDConnect" />
<add key="oidc:ClientId" value="your-client-id" />
<add key="oidc:ClientSecret" value="your-client-secret" />
<add key="oidc:RedirectUri" value="https://laps.lithnet.local/" />
<add key="oidc:Authority" value="https://lithnet.okta.com" />Configure the parameters as follows
| Parameter | Description |
|---|---|
oidc:ClientId |
The client ID issued to you by your OpenID Connect provider |
oidc:ClientSecret |
The client secret issued to you by your OpenID Connect provider |
oidc:RedirectUri |
The URL the OpenID Connect provider should redirect back to once the user has logged in. Replace laps.lithnet.local with your server hostname |
oidc:Authority |
The URL of the OpenID Connect provider |
The OpenID Connect provider must support issuing "id_token" in a hybrid authentication request, and that must contain a 'upn' claim.
Always take a backup of your web.config file before and after making any changes. A malformed web.config file will stop your web site from loading. If this happens, check the event log for the specific details of the problem or roll back the file to a known-good version.
You should also keep a backup copy of your working web.config file. It is easy to accidentally overwrite it when deploying a new version of the web application.