How To Setup

Before you can enable Totalview Authentication you must install it on your host.

Add to IIS (Internet Information Service)

  1. If you don’t have dotnet core 3.1 Hosting bundle installed. Then download and install it from https://dotnet.microsoft.com/download/dotnet-core/3.1

  2. Open IIS, right click Application Pools, select Add Application Pool.

  3. Set these values and click save

    1. Name: AuthenticationAppPool

    2. .NET CLR Version: No Managed Code

    3. Managed pipeline mode: Integrated

    4. Start application pool immediately [x]

  4. Find the created Application Pool. Right Click on it and select advanced settings.

    1. Find Start Mode, and set it to AlwaysRunning and click save

    2. Find Load User Profile, and set it to True and click save

  5. Under Sites find the Totalview Site (e.g. where reports and other Totalview related stuff is installed, it might be Default Web Site)

  6. Right click on that site and select “Add Application”

  7. Set these values and click ok

    1. Alias: Authentication

    2. Application pool: AuthenticationAppPool

    3. Physical path: TotalviewInstallationFolder\TotalviewAuthentication (This might not be correct, verify that this is in your Totalview folder)

    4. Enable Preload [x]

  8. Go the the physical folder of Totalview Authentication on TotalviewInstallationFolder\TotalviewAuthentication

  9. Right click somewhere on the whitespace (not a file or folder) and click Properties.

  10. Go to Security -> Edit -> Add

    1. Set Location to be the current computer (not the domian)

    2. Enter name to be IIS AppPool\AuthenticationAppPool

    3. Click OK

  11. Just keep default Permission, these should be

    1. Read & execute [x]

    2. List folder contents [x]

    3. Read [x]

  12. Right click on the folder Logs and select Properties -> Security -> Edit.

    1. Find the AuthenticationAppPool and add the permission Write

Update the Totalview database

  1. Find the script CreateConfigurationTables.sql in your TotalviewInstallationFolder\TotalviewAuthentication\SqlScripts\CreateConfigurationTables.sql

  2. Find the script CreatePersistedGrantTables.sql in your TotalviewInstallationFolder\TotalviewAuthentication\SqlScripts\CreatePersistedGrantTables.sql

  3. Login to the Totalview Database using your management tool of choice and execute these scripts

  4. Open TotalviewAuthentication appsettings.json found in TotalviewInstallationFolder\TotalviewAuthentication\appsettings.json

  5. Set the “ConnectionStrings:DefaultConnection” and “ConnectionStrings:IdentityServerConnection” to point to the Totalview Database

Add required clients and resources to the database

  1. Find the script AddClientsAndResources.sql in your TotalviewInstallationFolder\TotalviewAuthentication\SqlScripts\AddClientsAndResources.sql

  2. Login to the Totalview Database using your management tool of choice and execute this script

  3. If needed then update redirect uris and post logout redirect uris for relevant clients

    1. Update Admin Web client with running the following query but with your uris instead (e.g. https://someCompany.totalview.cloud/Admin)

      update ClientRedirectUris set RedirectUri = '[INSERT URL HERE]/signin-oidc' where ClientId = (select TOP(1) Id from Clients where ClientId = 'totalview-public-admin')
      update ClientPostLogoutRedirectUris set PostLogoutRedirectUri = '[INSERT URL HERE]/signout-callback-oidc' where ClientId = (select TOP(1) Id from Clients where ClientId = 'totalview-public-admin')
      
    2. Update Reports with running the following query but with your uris instead (e.g. https://someCompany.totalview.cloud/Admin)

      update ClientRedirectUris set RedirectUri = '[INSERT URL HERE]/authorization-code/callback' where ClientId = (select TOP(1) Id from Clients where ClientId = 'totalview-reports')
      update ClientPostLogoutRedirectUris set PostLogoutRedirectUri = '[INSERT URL HERE]' where ClientId = (select TOP(1) Id from Clients where ClientId = 'totalview-reports')
      

NB! Verify that there are no other clients that should update their redirect uris orpost logout redirect uris.

Create a self signed signing certificate

  1. Open powerShell as admin and run this command. (NB. if running multiple instance of Totalview on same machine, then change the Subject and FriendlyName to reflect the instance)

    1. Alternatively you can create the certificate on any computer, then export it and import it on the Totalview Server

    2. IMPORTANT! import it directly into LocalComputer -> Personal

      New-SelfSignedCertificate -Subject "CN=TotalviewIdentityServerSigningCertificate" -FriendlyName "TotalviewIdentityServerSigningCertificate" -KeyExportPolicy Exportable -TextExtension @('2.5.29.37={text}1.3.6.1.5.5.7.3.3') -KeySpec Signature -HashAlgorithm SHA256 -KeyLength 2048 -CertStoreLocation "cert:\LocalMachine\My"
      
  2. Open TotalviewAuthentication appsettings.json found in TotalviewInstallationFolder\TotalviewAuthentication\appsettings.json

  3. Copy the ThumbPrint and insert it into “IdentityServer:SigningCertificateThumbPrint”.

  4. Open the Certificate store “LocalComputer – Personal – Certificates”.

  5. Allow Authentication to use the private key of the new certificate

    1. Find the newly created certificate called “TotalviewIdentityServerSigningCertificate”.

    2. Right click on it, select All Tasks, thenManage Private Keys…

    3. Click Add

    4. Set Location to be the current computer (not the domian)

    5. Enter name to be IIS AppPool\AuthenticationAppPool

    6. Click OK

    7. Just leave ther permissions as is

      1. Full Controll [x]

      2. Read [x]

    8. Click OK

  6. Copy the newly created certificate to “LocalComputer – Trusted Root Certification Authority – Certificates”.

Update Configuration

  1. Open TotalviewAuthentication appsettings.json found in TotalviewInstallationFolder\TotalviewAuthentication\appsettings.json

  2. If you have Totalview Portal available then set “App:TotalviewPortalAddress” to that addess (e.g. https://someCompany.totalview.cloud)

  3. Set TotalviewMobilAddress to the address users use to login to with their mobile client (e.g. https://someCompany.totalview.cloud)

  4. Set “IdentityServer:IssuerUri” to be the URL that will be available externally (e.g. https://someCompany.totalview.cloud/Authentication)

  5. Verify that “IdentityServer:ShowPII” is set to false