Configure SAML Authentication

You can configure Meridian Explorer to work with any SAML 2.0 compatible identity provider. For information about configuring PowerWeb and site cache connections to use SAML, see the Meridian Enterprise Administrator's Guide.

Note:

To use SAML authentication in Meridian, a Meridian Portal tenancy is required. You can configure a Third-Party Identity Provider in Meridian Portal.

To complete this configuration, as a Meridian Enterprise Server system administrator you must understand how to configure an on-premises firewall to allow inbound connections if required.

To configure Meridian Explorer for SAML authentication, complete these tasks on the Meridian Enterprise Server computer. Command lines are shown below but, you can also complete the tasks with the user interface.

Due to the technical complexity and impact on user management processes, we recommend you contact your Accruent account manager when you intend to implement SAML authetication for an on-premises Meridian installation.

Configure WebLink Registry Keys

Configure Meridian Explorer

To configure Meridian Explorer:

First, configure the Meridian Explorer web site:
1. On the Meridian Enterprise Server computer, in Internet Information Services (IIS), find the name of the Meridian Explorer web site, for example, Hyperion.
2. Enable anonymous authentication mode.
  
  It might be necessary to unlock the sections first if appcmd.exe is used.
```
appcmd set config "Default Web Site/BlueCieloECM.Hyperion" /section:system.webServer/security/authentication/anonymousAuthentication /enabled:true /commit:appHost
```
  Keep Windows authentication enabled for the BlueCieloECM.Hyperion Web Site.

Then, configure the Meridian Explorer application:

Open the AuthConfiguration.dat file in any text editor.

By default, it is located in the C:\ProgramData\BlueCieloECM\Hyperion folder.

Change or create the values listed in the following table.

Settings are separated by commas (,).

Authentication options
Option	Description	Example
UseOpenIdConnectAuthentication	Enables SAML authentication.	true
HyperionAppUrl	URL used to connect to PowerWeb. This must be the same URL as the one provided to the SAML identity provider.	http://<MyDomain>/BlueCieloECM.Hyperion
TenantId	Meridian Portal tenancy name.	<OrgName>
IssuerUri	URL of the Meridian Cloud authentication server.	https://auth-ci2.meridiancloud.io/auth
ClientId	Value entered during registration with the SAML identity provider.	localhyperion
ClientSecret	Value entered during registration with the SAML identity provider.	secret

The completed text block should look like this:

{"UseOpenIdConnectAuthentication":true,"HyperionAppUrl":"http://MyServer/BlueCieloECM.Hyperion",
"TenantId":"MyOrg","IssuerUri":"https://auth-ci2.meridiancloud.io/auth",
"ClientId":"localhyperion","ClientSecret":"secret"}

Restart IIS.
```
iisreset
```

Configure Meridian IIS application

To configure the Meridian IIS application:

Change the application pool settings for the Meridian application pool.

If you used a standard setup, the name of the application pool is probably BCMeridian.

If you are using the user interface:
1. Select Integrated from the Managed pipeline mode field.
2. Select the .NET Framework version to be used by the application pool.
If you are using AppCmd.exe:
1. Run the following command to switch to integrated pipeline mode:
  Copy
```
appcmd set apppool "Meridian Application Pool" /managedPipelineMode:Integrated
```
2. Run the following command to set the .NET Framework version:
  Copy
```
appcmd set apppool "Meridian Application Pool" /managedRuntimeVersion:v4.0
```
To learn more about these settings, see Application Pool Defaults on Microsoft's website.
Change your Meridian Web Site settings to Anonymous authentication.

If you use AppCmd.exe, it might be necessary to unlock the sections first. If you use the user interface to make these changes, you will not have to unlock the sections.

If you are using the user interface:
- Follow the instructions on Microsoft's website.
  
  Linked above is Anonymous Authentication <anonymousAuthentication>, which is a general article which describes how anonymous authentication is configured. Further reading may be necessary.
If you are using AppCmd.exe:
- Run the following commands to change your authentication settings.
  Copy
```
appcmd set config "Default Web Site/Meridian" /section:system.webServer/security/authentication/windowsAuthentication /enabled:false /commit:appHost
appcmd set config "Default Web Site/Meridian" /section:system.webServer/security/authentication/anonymousAuthentication /enabled:true /commit:appHost
```
Open the web.config file for the Meridian web application in a text editor.
Add the following text to the <configuration\system.webServer> node:
Copy
```
<modules runAllManagedModulesForAllRequests="true" />
```

Add the following text to the <configuration> node:

Copy

<runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
        <dependentAssembly>
            <assemblyIdentity name="Microsoft.Owin" publicKeyToken="31bf3856ad364e35" culture="neutral" />
            <bindingRedirect oldVersion="0.0.0.0-3.1.0.0" newVersion="3.1.0.0" />
        </dependentAssembly>
        <dependentAssembly>
            <assemblyIdentity name="Microsoft.Owin.Security" publicKeyToken="31bf3856ad364e35" />
            <bindingRedirect oldVersion="0.0.0.0-3.1.0.0" newVersion="3.1.0.0" />
        </dependentAssembly>
        <dependentAssembly>
            <assemblyIdentity name="Microsoft.Owin.Security.OAuth" publicKeyToken="31bf3856ad364e35" />
            <bindingRedirect oldVersion="0.0.0.0-3.1.0.0" newVersion="3.1.0.0" />
        </dependentAssembly>
        <dependentAssembly>
            <assemblyIdentity name="Microsoft.Owin.Security.Cookies" publicKeyToken="31bf3856ad364e35" />
            <bindingRedirect oldVersion="0.0.0.0-3.0.1.0" newVersion="3.0.1.0" />
        </dependentAssembly>
        <dependentAssembly>
            <assemblyIdentity name="System.Web.Http" publicKeyToken="31bf3856ad364e35" culture="neutral" />
            <bindingRedirect oldVersion="0.0.0.0-5.2.3.0" newVersion="5.2.3.0" />
        </dependentAssembly>
        <dependentAssembly>
            <assemblyIdentity name="System.Web.Http.Owin" publicKeyToken="31bf3856ad364e35" culture="neutral" />
            <bindingRedirect oldVersion="0.0.0.0-5.2.3.0" newVersion="5.2.3.0" />
        </dependentAssembly>
        <dependentAssembly>
            <assemblyIdentity name="Microsoft.Owin.Cors" publicKeyToken="31bf3856ad364e35" culture="neutral" />
            <bindingRedirect oldVersion="0.0.0.0-3.1.0.0" newVersion="3.1.0.0" />
        </dependentAssembly>
        <dependentAssembly>
            <assemblyIdentity name="System.IdentityModel.Tokens.Jwt" publicKeyToken="31bf3856ad364e35" culture="neutral" />
            <bindingRedirect oldVersion="0.0.0.0-4.0.20622.1351" newVersion="4.0.20622.1351" />
        </dependentAssembly>
        <dependentAssembly>
            <assemblyIdentity name="Microsoft.IdentityModel.Protocol.Extensions" publicKeyToken="31bf3856ad364e35" culture="neutral" />
            <bindingRedirect oldVersion="0.0.0.0-1.0.2.33" newVersion="1.0.2.33" />
        </dependentAssembly>
        <dependentAssembly>
            <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />
            <bindingRedirect oldVersion="0.0.0.0-8.0.0.0" newVersion="8.0.0.0" />
        </dependentAssembly>
        <dependentAssembly>
            <assemblyIdentity name="Microsoft.Owin.Security.Jwt" publicKeyToken="31bf3856ad364e35" culture="neutral" />
            <bindingRedirect oldVersion="0.0.0.0-3.1.0.0" newVersion="3.1.0.0" />
        </dependentAssembly>
    </assemblyBinding>
</runtime>

Save your changes.
Restart the IIS server.
```
iisreset
```

Configure remote CAD links and Site Cache Client

To ensure your remote CAD links and the Site Cache Client are properly configured:

Ensure that BlueCieloECM.BCLinkOidc.Client.dll is registered in the ...\BCMeridian\Program\BCLinkOidc\ folder after setup.

If not, then use the following command in Powershell:
Copy
```
"%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe" /codebase /tlb "BlueCieloECM.BCLinkOidc.Client.dll"
```
Ensure the settings in the bulleted list below are applied in the following registry keys:

HKEY_LOCAL_MACHINE\Software\Cyco\AutoManager Meridian\CurrentVersion\Client\BCSiteCacheAuth

HKEY_CURRENT_USER\Software\Cyco\AutoManager Meridian\CurrentVersion\Client\Settings\BCSiteCacheAuth
- UseWorkspace – dword – 00000000
- UseOpenIdConnectAuthentication – dword – 00000001
- M360Tenant – %tenant_name%
- M360Domain – meridian360.io
- IssuerUri – https://%issuer_uri_host%.meridiancloud.io/auth

In ...\BCMeridian\Program\BlueCieloECM.SiteCache.LwsClient.exe.config, add the following text to the <configuration><userSettings> node:

Copy

<setting name="IssuerUri" serializeAs="String">
    <value>https://%issuer_uri_host%.meridiancloud.io/auth</value>
</setting>
<setting name="M360Domain" serializeAs="String">
    <value>meridian360.io</value>
</setting>
<setting name="ClientId" serializeAs="String">
    <value>meridianlwsclient</value>
</setting>
<setting name="ClientSecret" serializeAs="String">
    <value>gSJtqpBn5yG8y4tR</value>
</setting>

Set the following values in the C:\ProgramData\BlueCieloECM\SiteCache\SiteCacheSettings.dat file:
- IssuerUri – https://%issuer_uri_host%.meridiancloud.io/auth
- UseOpenIdConnectAuthentication – true
Open the Internet Information Services (IIS) Manager.
Navigate to Sites > Default Web Site > BCSiteCache > Authentication.
Disable Windows Authentication.
Enable Anonymous Authentication.