How To Setup¶
Before you can enable Totalview Authentication you must install it on your host.
Add to IIS (Internet Information Service)¶
If you don’t have dotnet core 3.1 Hosting bundle installed. Then download and install it from https://dotnet.microsoft.com/download/dotnet-core/3.1
Open IIS, right click Application Pools, select Add Application Pool.
Set these values and click save
Name: AuthenticationAppPool
.NET CLR Version: No Managed Code
Managed pipeline mode: Integrated
Start application pool immediately [x]
Find the created Application Pool. Right Click on it and select advanced settings.
Find Start Mode, and set it to AlwaysRunning and click save
Find Load User Profile, and set it to True and click save
Under Sites find the Totalview Site (e.g. where reports and other Totalview related stuff is installed, it might be Default Web Site)
Right click on that site and select “Add Application”
Set these values and click ok
Alias: Authentication
Application pool: AuthenticationAppPool
Physical path: TotalviewInstallationFolder\TotalviewAuthentication (This might not be correct, verify that this is in your Totalview folder)
Enable Preload [x]
Go the the physical folder of Totalview Authentication on TotalviewInstallationFolder\TotalviewAuthentication
Right click somewhere on the whitespace (not a file or folder) and click Properties.
Go to Security -> Edit -> Add
Set Location to be the current computer (not the domian)
Enter name to be IIS AppPool\AuthenticationAppPool
Click OK
Just keep default Permission, these should be
Read & execute [x]
List folder contents [x]
Read [x]
Right click on the folder Logs and select Properties -> Security -> Edit.
Find the AuthenticationAppPool and add the permission Write
Update the Totalview database¶
Find the script CreateConfigurationTables.sql in your TotalviewInstallationFolder\TotalviewAuthentication\SqlScripts\CreateConfigurationTables.sql
Find the script CreatePersistedGrantTables.sql in your TotalviewInstallationFolder\TotalviewAuthentication\SqlScripts\CreatePersistedGrantTables.sql
Login to the Totalview Database using your management tool of choice and execute these scripts
Open TotalviewAuthentication appsettings.json found in TotalviewInstallationFolder\TotalviewAuthentication\appsettings.json
Set the “ConnectionStrings:DefaultConnection” and “ConnectionStrings:IdentityServerConnection” to point to the Totalview Database
Add required clients and resources to the database¶
Find the script AddClientsAndResources.sql in your TotalviewInstallationFolder\TotalviewAuthentication\SqlScripts\AddClientsAndResources.sql
Login to the Totalview Database using your management tool of choice and execute this script
If needed then update redirect uris and post logout redirect uris for relevant clients
Update Admin Web client with running the following query but with your uris instead (e.g. https://someCompany.totalview.cloud/Admin)
update ClientRedirectUris set RedirectUri = '[INSERT URL HERE]/signin-oidc' where ClientId = (select TOP(1) Id from Clients where ClientId = 'totalview-public-admin') update ClientPostLogoutRedirectUris set PostLogoutRedirectUri = '[INSERT URL HERE]/signout-callback-oidc' where ClientId = (select TOP(1) Id from Clients where ClientId = 'totalview-public-admin')
Update Reports with running the following query but with your uris instead (e.g. https://someCompany.totalview.cloud/Admin)
update ClientRedirectUris set RedirectUri = '[INSERT URL HERE]/authorization-code/callback' where ClientId = (select TOP(1) Id from Clients where ClientId = 'totalview-reports') update ClientPostLogoutRedirectUris set PostLogoutRedirectUri = '[INSERT URL HERE]' where ClientId = (select TOP(1) Id from Clients where ClientId = 'totalview-reports')
NB! Verify that there are no other clients that should update their redirect uris orpost logout redirect uris.
Create a self signed signing certificate¶
Open powerShell as admin and run this command. (NB. if running multiple instance of Totalview on same machine, then change the Subject and FriendlyName to reflect the instance)
Alternatively you can create the certificate on any computer, then export it and import it on the Totalview Server
IMPORTANT! import it directly into LocalComputer -> Personal
New-SelfSignedCertificate -Subject "CN=TotalviewIdentityServerSigningCertificate" -FriendlyName "TotalviewIdentityServerSigningCertificate" -KeyExportPolicy Exportable -TextExtension @('2.5.29.37={text}1.3.6.1.5.5.7.3.3') -KeySpec Signature -HashAlgorithm SHA256 -KeyLength 2048 -CertStoreLocation "cert:\LocalMachine\My"
Open TotalviewAuthentication appsettings.json found in TotalviewInstallationFolder\TotalviewAuthentication\appsettings.json
Copy the ThumbPrint and insert it into “IdentityServer:SigningCertificateThumbPrint”.
Open the Certificate store “LocalComputer – Personal – Certificates”.
Allow Authentication to use the private key of the new certificate
Find the newly created certificate called “TotalviewIdentityServerSigningCertificate”.
Right click on it, select All Tasks, thenManage Private Keys…
Click Add
Set Location to be the current computer (not the domian)
Enter name to be IIS AppPool\AuthenticationAppPool
Click OK
Just leave ther permissions as is
Full Controll [x]
Read [x]
Click OK
Copy the newly created certificate to “LocalComputer – Trusted Root Certification Authority – Certificates”.
Update Configuration¶
Open TotalviewAuthentication appsettings.json found in TotalviewInstallationFolder\TotalviewAuthentication\appsettings.json
If you have Totalview Portal available then set “App:TotalviewPortalAddress” to that addess (e.g. https://someCompany.totalview.cloud)
Set TotalviewMobilAddress to the address users use to login to with their mobile client (e.g. https://someCompany.totalview.cloud)
Set “IdentityServer:IssuerUri” to be the URL that will be available externally (e.g. https://someCompany.totalview.cloud/Authentication)
Verify that “IdentityServer:ShowPII” is set to false