Home
Home
German Version
Support
Impressum
20.5 Release ►

    Main Navigation

    • Preparation
      • Connectors
      • Initial Startup for G6 appliances (before January 2018)
      • Initial Startup for G7 appliances
      • Setup InSpire G7 primary and Standby Appliances
    • Datasources
      • Configuration - Atlassian Confluence Connector
      • Configuration - Best Bets Connector
      • Configuration - Data Integration Connector
      • Configuration - Documentum Connector
      • Configuration - Dropbox Connector
      • Configuration - Egnyte Connector
      • Configuration - GitHub Connector
      • Configuration - Google Drive Connector
      • Configuration - GSA Adapter Service
      • Configuration - HL7 Connector
      • Configuration - IBM Connections Connector
      • Configuration - IBM Lotus Connector
      • Configuration - Jira Connector
      • Configuration - JiveSoftware Jive Connector
      • Configuration - JVM Launcher Service
      • Configuration - LDAP Connector
      • Configuration - Microsoft Dynamics CRM Connector
      • Configuration - Microsoft Exchange Connector
      • Configuration - Microsoft File Connector (Legacy)
      • Configuration - Microsoft File Connector
      • Configuration - Microsoft SharePoint Connector
      • Configuration - Salesforce Connector
      • Configuration - SAP KMC Connector
      • Configuration - SemanticWeb Connector
      • Configuration - ServiceNow Connector
      • Configuration - SharePoint Online Connector
      • Configuration - Web Connector
      • Data Integration Guide with SQL Database by Example
      • Indexing user-specific properties (Documentum)
      • Installation & Configuration - Atlassian Confluence Sitemap Generator Add-On
      • Installation & Configuration - Caching Principal Resolution Service
      • Installation & Configuration - Jive Sitemap Generator
      • Mindbreeze InSpire Insight Apps in Microsoft SharePoint Online
      • Mindbreeze InSpire Search Apps in Microsoft SharePoint 2010
      • Mindbreeze InSpire Search Apps in Microsoft SharePoint 2013
      • Mindbreeze Web Parts for Microsoft SharePoint
      • User Defined Properties (SharePoint 2013 Connector)
    • Configuration
      • CAS_Authentication
      • Cognito JWT Authentification
      • Configuration - Alternative Search Suggestions and Automatic Search Expansion
      • Configuration - Back-End Credentials
      • Configuration - Chinese Tokenization Plugin (Jieba)
      • Configuration - CJK Tokenizer Plugin
      • Configuration - Collected Results
      • Configuration - CSV Metadata Mapping Item Transformation Service
      • Configuration - Entity Recognition
      • Configuration - Exporting Results
      • Configuration - GSA Late Binding Authentication
      • Configuration - Index-Servlets
      • Configuration - Item Property Generator
      • Configuration - Japanese Language Tokenizer
      • Configuration - Kerberos Authentication
      • Configuration - Management Center Menu
      • Configuration - Metadata Enrichment
      • Configuration - Metadata Reference Builder Plugin
      • Configuration - Notifications
      • Configuration - Personalized Relevance
      • Configuration - Plugin Installation
      • Configuration - Principal Validation Plugin
      • Configuration - Profile
      • Configuration - Reporting Query Logs
      • Configuration - Reporting Query Performance Tests
      • Configuration - Request Header Session Authentication
      • Configuration - Vocabularies for Synonyms and Suggest
      • Configuration of Thumbnail Images
      • Cookie-Authentication
      • Documentation - Mindbreeze InSpire
      • Google Search Appliance Migration to Mindbreeze InSpire
      • I18n Item Transformation
      • Installation & Configuration - Outlook Add-In
      • Installation - GSA Base Configuration Package
      • Language detection - LanguageDetector Plugin
      • Mindbreeze Personalization
      • Mindbreeze Prediction Service Text Classification
      • Mindbreeze Property Expression Language
      • Mindbreeze Query Expression Transformation
      • Non-Inverted Metadata Item Transformer
      • SAML-based Authentication
      • Trusted Peer Authentication for Mindbreeze InSpire
      • Using the InSpire Snapshot for Development in a CI_CD Scenario
    • Operations
      • app.telemetry Statistics Regarding Search Queries
      • Configuration Usage Analysis
      • Deletion of Hard Disks
      • Handbook - Backup & Restore
      • Handbook - Command Line Tools
      • Handbook - Distributed Operation (G7)
      • Handbook - Filemanager
      • Handbook - Synchronized Operation (G6)
      • Index Operating Concepts
      • Indexing and Search Logs
      • Inspire Diagnostics and Resource Monitoring
      • InSpire Support Documentation
      • Mindbreeze InSpire SFX Update
      • Provision of app.telemetry Information on G7 Appliances via SNMPv3
      • Restoring to As-Delivered Condition
    • User Manual
      • Cheat Sheet
      • iOS App
      • Keyboard Operation
    • SDK
      • api.v2.alertstrigger Interface Description
      • api.v2.export Interface Description
      • api.v2.personalization Interface Description
      • api.v2.search Interface Description
      • api.v2.suggest Interface Description
      • api.v3.admin.SnapshotService Interface Description
      • Debugging (Eclipse)
      • Developing an API V2 search request response transformer
      • Developing Item Transformation and Post Filter Plugins with the Mindbreeze SDK
      • Development of Insight Apps
      • Java API Interface Description
    • Release Notes
      • Release Notes 20.1 Release - Mindbreeze InSpire
      • Release Notes 20.2 Release - Mindbreeze InSpire
      • Release Notes 20.3 Release - Mindbreeze InSpire
      • Release Notes 20.4 Release - Mindbreeze InSpire
      • Release Notes 20.5 Release - Mindbreeze InSpire
      • Release Notes 2018 Spring - Mindbreeze InSpire
      • Release Notes 2018 Winter - Mindbreeze InSpire
      • Release Notes 2019 Fall - Mindbreeze InSpire
      • Release Notes 2019 Winter - Mindbreeze InSpire
    • Security
      • Known Vulnerablities
    • Product Information
      • Product Information - Mindbreeze InSpire - Standby
      • Product Information - Mindbreeze InSpire
    Home

    Path

    Microsoft IIS/SharePoint Authentication API Proxy

    Proxy Client Service w/ Trusted Peer Access Using OAuth2

    Copyright ©

    Mindbreeze GmbH, A-4020 Linz, 2020.

     

    All rights reserved. All hardware and software names are trade names and/or trademarks of their respective owners.

    These documents are confidential. The delivery and presentation of these documents alone does not justify any rights whatsoever to our software, our services and service performance results or other protected rights. The disclosure, publication or reproduction is not permitted.

    For reasons of easier legibility, gender differentiation has been dispensed with. In terms of equal treatment, appropriate terms apply to both sexes.


    PreparationPermanent link for this heading

    The following settings form Keycloak Server and Mindbreeze Client Service are needed to configure the IIS authentication proxy.

    Keycloak Server ConfigurationPermanent link for this heading

    OAuth Endpoint: https://keykloakserver/auth/realms/master/protocol/openid-connect/token

    Client-ID: iis-client


    Client-Secret:

    Username: iis-client-user

    User Role: InSpire Application Impersonation

    Client Service ConfigurationPermanent link for this heading

    Configure the Mindbreeze Client Service “Trusted Peer Access Using OAuth 2.0 Bearer Token” section using the settings above.


    Microsoft IIS ConfigurationPermanent link for this heading

    Add the OAuthProxy handler type declaration to the configuration/system.webServer/handlers node inside web.config file of your web application.

    <configuration>

        <system.webServer>

            <handlers>

                <add name="OAuthProxy"

    path="/_api_mindbreezeinspire"

    verb="*"

    type="Mindbreeze.ResourceProxy.OAuthProxy"

    resourceType="Unspecified"

    preCondition="integratedMode" />

            </handlers>

        </system.webServer>

    </configuration>

    Add ProxyConfig configuration section declaration to configuration/configSections node.

    <configuration>

       <configSections>

            <sectionGroup name="Mindbreeze">

    <section name="ProxyConfig"

    type="Mindbreeze.ResourceProxy.ProxyConfig"

    allowLocation="true"

    allowDefinition="Everywhere" />

    </sectionGroup>

       </configSections>

    <configuration>

    Add configuration section to configuration node.

    <configuration>

      <Mindbreeze>

         <ProxyConfig logFile="c:\temp\resource_proxy.log" logLevel="Error">

    <ServerUrl url="<clienservice url>"

    oauth2Endpoint="https://keykloakserver/auth/realms/master/protocol/openid-connect/token

    username="iis-client-user"

    password="<password>"

    clientId="iis-client"

    clientSecret="<clientsecret>"

    disableSSLValidation="false"

    includeClaimTypesPattern=".*" />

         </ProxyConfig>

       </Mindbreeze>

    </configuration>

    Copy Mindbreeze.ResourceProxy.dll and its dependencies in bin directory of your web application and restart the web application from IIS Manager. The resource proxy will forward all HTTP requests matching <IIS web application URL>/_api_mindbreezeinspire/path/and/?query to <Client Service URL>/path/and/?query together with IIS authenticated users name and OAuth token obtained from keycloak server to Mindbreeze Client Service.


    Encrypted Microsoft IIS ConfigurationPermanent link for this heading

    Before encrypting the configuration section, make sure, that the IIS anonymous machine users (IUSR and IIS_IUSRS) have write permission for key containers directory C:\ProgramData\Microsoft\Crypto\RSA\Crypto\RSA. Now run the run aspnet_regiis.exe with directory (c:\tempDir) as parameter containing the web.config file containing only the ProxyConfig node. Note that ProxyConfig should not be inside Mindbreeze node in this temporary web.config file.

    <configuration>

         <ProxyConfig logFile="c:\temp\resource_proxy.log" logLevel="Error">

    <ServerUrl url="<clienservice url>"

    oauth2Endpoint="https://keykloakserver/auth/realms/master/protocol/openid-connect/token

    username="iis-client-user"

    password="<password>"

    clientId="iis-client"

    clientSecret="<clientsecret>"

    disableSSLValidation="false"

    includeClaimTypesPattern=".*" />

         </ProxyConfig>

    </configuration>

    For example:

    C:\Windows\Microsoft.NET\Framework\v4.0.30319>aspnet_regiis.exe –pef "ProxyConfig" "C:\tempDir"

    Microsoft (R) ASP.NET RegIIS version 4.0.30319.0

    Administration utility to install and uninstall ASP.NET on the local machine.

    Copyright (C) Microsoft Corporation.  All rights reserved.

    Encrypting configuration section...

    Succeeded!

    After encrypting ProxyConfig replace it with ProxyConfig node inside Mindbreeze node of your applications web.config file.

    <configuration>

      <Mindbreeze>

      <ProxyConfig configProtectionProvider="RsaProtectedConfigurationProvider">

          <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"

             xmlns="http://www.w3.org/2001/04/xmlenc#">

             <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />

             <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

                <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">

                   <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />

                   <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

                      <KeyName>Rsa Key</KeyName>

                   </KeyInfo>

                   <CipherData>

                      <CipherValue>Fn6+756cE682pfJD0Eei4jSyOdoiIb1U6XYYbVYCjfw38EZwFGSDFDlbNUe0KVFUgZcGTYw/1aRZRnsR/vrJb9q0c3IRlDYWC9HRolnmBDXna5uZwBkdnD+FYQzc8xMZ9PKoaNjoU645iQNbmdS/6d/QWquQ4ijktdhJJmy0S/kOzyNFvP++DZLnRxl1ML0O7u/RZDVUQacCi623xJQhmbhdrCNnsnvOyjEGOjUS0kWlOpUXAfwJtO9GMJhAWPz9JuIxJxLC/tEtssy+Hf69DVUlyUhwKa/8cKLgwDEM3z0Udt1FaQT7n7htdzVaQbdb3nqrEyvs7ShogfSzWtAezA==</CipherValue>

                   </CipherData>

                </EncryptedKey>

             </KeyInfo>

             <CipherData>

                <CipherValue>F0kCfWr3EwY6mO/rLUdrwzgVJcZnRLUCW7zJG9veQ/jXJm3pwLyDO1ytH6bIroF0Hk3AOezyZJphtZe6843GmXrLw4sY6ueTie0Ibx2oKcvOhXY/D+OngU9ZChqtqkUsK+5uQKjCifS5YqeXnNtftZPfwg+0pTnbMyGQAqCmDeC6i8E35UFZ3X1LScNvXlOGO/3MS89scEWCZjDAqAREa+E7Wiiu6jrQVqfDMs/t0Otm9JyTlBsM5QkgjGZrUkpVJmAGy+nG0Kai5501yNQMXpzf4gsOH0GD0EAkPHqFy09sKEwLcHuXb+UU/2EO7swY5hqD5M0ua+djAl1qz8KIzMs4t7duGBafB/Mx8XVw8Rdkmcj8zyYJb9A6JQBHcWm63XMs+hzpBwKJ10A6Oks68YPrVcyVBmbJjCNRH/gpG8NAAeftXcy1fAhiuB2FfwS7MO1id9l3OxqxrNuU7GlO1NGtj+a+jHzrL6R+5giizFN1fdeDM4raCB1bRvSXv03tqKSdLqk1Ywcs88zmcBqzO3okPr8yPCnvkmrBarwM+x6UtuTXzajWAQ2wtVfFkziTjqdSBvwm/HilLPp6ORdo8vyAOiGNCcgGtV3r8gAqMnU7xAEGv1NamQ==</CipherValue>

             </CipherData>

          </EncryptedData>

       </ProxyConfig>

      </Mindbreeze>

    </configuration>

    Installation on Microsoft SharePoint ServerPermanent link for this heading

    Installing authentication proxy on SharePoint server can be performed with stsadm tool for all SharePoint web applications using a supplemental web.config file (webconfig.mindbreeze.xml) in C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\CONFIG directory. The ProxyConfig node should already be encrypted to avoid doing it for each web application afterwards. From SharePoint Management shell run the following command.

    stsadm -o copyappbincontent

    Mindbreeze Supplemental Web.config file:

    <actions>

       <remove path="configuration/system.webServer/handlers/add[@name='OAuthProxy']"/>

       <add path="configuration/system.webServer/handlers">

           <add name="OAuthProxy"

           path="/_api_mindbreezeinspire"

           verb="*"

           type="Mindbreeze.ResourceProxy.OAuthProxy"

           resourceType="Unspecified"

           preCondition="integratedMode" />

       </add>

       <remove path="configuration/configSections/sectionGroup[@name='Mindbreeze']" />

       <add path="configuration/configSections">

           <sectionGroup name="Mindbreeze">

              <section name="ProxyConfig"

              type="Mindbreeze.ResourceProxy.ProxyConfig"

              allowLocation="true"

              allowDefinition="Everywhere"/>

            </sectionGroup>

        </add>

        <remove path="configuration/Mindbreeze"/>

        <add path="configuration">

          <Mindbreeze>

           <ProxyConfig logFile="c:\temp\proxy.log" logLevel="Error">

    <ServerUrl url="<clienservice>"

    oauth2Endpoint="https://keykloakserver/auth/realms/master/protocol/openid-connect/token

    username="iis-client-user"

    password="<password>"

    clientId="iis-client"

    clientSecret="<clientsecret>"

    disableSSLValidation="false"

    includeClaimTypesPattern=".*"/>

         </ProxyConfig>

         </Mindbreeze>

        </add>

    </actions>

    Download PDF

    • Microsoft IIS Authentication API Proxy For Client Service (OAuth2)

    Content

    • Preparation
    • Microsoft IIS Configuration
    • Encrypted Microsoft IIS Configuration
    • Installation on Microsoft SharePoint Server

    Download PDF

    • Microsoft IIS Authentication API Proxy For Client Service (OAuth2)