Web TimeSheet Application Note

Setting up a SAML Identity Provider

Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication
data between a service provider (such as Web TimeSheet) and an identity provider. SAML allows users
to employ web browser single sign-on, and is typically used as an enterprise-level identity management
solution.

Web TimeSheet supports SAML 1.1 only.

To set up your identity provider and enable SAML in Web TimeSheet:

A. Extract the SAML identity provider files

1. Obtain the SAMLIdentityProvider.zip file from Replicon Support.
2. Extract the zip file. We recommend extracting to this location: C:\Program Files\Replicon
Inc\SAML Identity Provider.

B. Set up IIS
1. Create a new IIS virtual directory pointing to the folder created in Step A.
Give the directory read and execute permissions, and name it. We recommend naming it SAML.
2. Create an IIS application called SAML. To do this:
In IIS 6.0, right-click the SAML directory and select Properties. On the Virtual Directory
tab, click the Create button located in the Application settings area. Select OK.
In IIS 7.0, right-click the SAML directory and select Convert to Application, and select
OK.

In IIS 5.0, the application is created by default.

3. Select authentication settings:

In IIS 5.0 or 6.0:
a. Right-click the Default.aspx file in the SAML application you created, and select
Properties.
b. On the File Security tab, select Edit
c. On the Authentication Methods page that displays, disable anonymous access,
and ensure Integrated Windows Authentication is the only option enabled.
In IIS 7.0:
a. Select the SAML application, select the Content View, right-click the
Default.aspx file, select Switch to Features View.
b. From the Default.aspx Home (Features View), select Authentication.
c. Right-click each item that displays: enable Windows Authentication, and
disable all the other authentication types.

C. Set up the Identity Provider

1. Open the directory to which you extracted SAMLIdentityProvider.zip in Step A.
2. Open the Web.config file in a text editor, such as Notepad.

Web TimeSheet Application Note, Setting Up a SAML Identity Provider Page 1 of 2

Copyright 2009 Replicon, Inc. April 24, 2009
 Find the following line of code:

<add key="ServiceProviderURL" value="http://service.url/path/saml.ashx" />

3. Modify the line to include your Web TimeSheet installations URL:

If you are using our hosted solution, it should use this format:
<add key="ServiceProviderURL"
value="http://hosted.webtimesheet.com/YourCompanyName/saml.ashx" />

If you are using internal web server, it should use this format:
<add key="ServiceProviderURL"
value="http://YourWebTimesheetServerName:port/Timesheet/saml.ashx" />

If you are using IIS, it should use this format:

<add key="ServiceProviderURL"
value="http://YourWebTimesheetServerName/cgi/rt.dll/TimeSheet/saml.ashx" />
4. In the directory to which you extracted SAMLIdentityProvider.zip in Step A:
a. Open the bin sub-directory.
b. Run Replicon.Security.CertificateGenerator.exe.
It will create two new files in that sub-directory: private.pfx and public.cer

D. Set up Web TimeSheet

1. Log in to Web Timesheet.
2. Select Administration from the top menu.
3. Select System > System Preferences from the side menu.
4. Check Enable SAML Authentication. Two additional options will display.
SAML transfer URL
In this field, enter the full URL to the virtual directory you created in Step C. This URL
must include the 'target' parameter. It should look something like this:
http://YourSAMLComputerName/SAML?target={0}
SAML public key
In this field, upload the public.cer file from the bin directory you generated in Step C.
5. Select Save.

E. Create Users
1. Create users in Web TimeSheet whose user names match their Windows user names.
2. Set each users Authentication Method to SAML in their user profile.
These users can log in to Web TimeSheet normally using this URL:

http://<YourSAMLComputerName>/SAML

In most cases, users will be automatically logged in to Web TimeSheet. However, some browsers
do not forward Windows credentials automatically, and others can be configured not to, so users
may still be prompted for their user name and password when logging in.

Web TimeSheet Application Note, Setting Up a SAML Identity Provider Page 2 of 2

Copyright 2009 Replicon, Inc. April 24, 2009