Configure SAML Authentication

You can configure Meridian Explorer to work with any SAML 2.0 compatible identity provider. For information about configuring PowerWeb and site cache connections to use SAML, see the Configure WebLink Registry Keys section below.

To use SAML authentication in Meridian, a Meridian Portal tenancy is required. You can Configure a Third-Party Identity Provider in Meridian Portal.

To complete this configuration, as a Meridian Enterprise Server System Administrator you must understand how to configure an on-premises firewall to allow inbound connections if required.

To configure Meridian Explorer for SAML authentication, complete these tasks on the Meridian Enterprise Server computer. Command lines are shown below but, you can also complete the tasks with the user interface.

Due to the technical complexity and impact on user management processes, we recommend you contact your Accruent account manager when you intend to implement SAML authentication for an on-premises Meridian installation.

SAML authentication currently does not work with:

PowerUser
Selecting Publisher rendering jobs

Important!

When presenting the e-signature page, Meridian instructs the identity provider to force re-authentication of the user. However, by itself this may not meet regulatory requirements because the browser may be caching credentials. Additional measures such as defining security policies to prevent credential caching by browsers may be required. It also may depend on how the selected identity provider behaves when forcing re-authentication.

OpenID Connect is used to communicate between Meridian Server on-prem and your Meridian Cloud tenancy, where the integration with the SAML identity provider is configured. The instructions below describe how to configure OpenID Connect to connect from the Enterprise Server to your Meridian Cloud tenancy.

The configuration can be set up and tested with the tool described in Configure OpenId Connect.

Configure WebLink Registry Keys

Configure Meridian Explorer

To configure Meridian Explorer:

First, configure the Meridian Explorer web site:
1. On the Meridian Enterprise Server computer, in Internet Information Services (IIS), find the name of the Meridian Explorer web site, for example, Hyperion.
2. Enable anonymous authentication mode.
  
  It might be necessary to unlock the sections first if appcmd.exe is used.
```
appcmd set config "Default Web Site/BlueCieloECM.Hyperion" /section:system.webServer/security/authentication/anonymousAuthentication /enabled:true /commit:appHost
```
  Keep Windows authentication enabled for the BlueCieloECM.Hyperion Web Site.

Then, configure the Meridian Explorer application:

Open the AuthConfiguration.dat file in any text editor.

By default, it is located in the C:\ProgramData\BlueCieloECM\Hyperion folder.

Change or create the values listed in the following table.

Settings are separated by commas (,).

Authentication options
Option	Description	Example
UseOpenIdConnectAuthentication	Enables SAML authentication.	true
HyperionAppUrl	URL used to connect to PowerWeb. This must be the same URL as the one provided to the SAML identity provider.	http://<MyDomain>/BlueCieloECM.Hyperion
TenantId	Meridian Portal tenancy name.	<OrgName>
IssuerUri	URL of the Meridian Cloud authentication server.	https://auth-ci2.meridiancloud.io/auth
ClientId	Value entered during registration with the SAML identity provider.	localhyperion
ClientSecret	Value entered during registration with the SAML identity provider.	secret

The completed text block should look like this:

{"UseOpenIdConnectAuthentication":true,"HyperionAppUrl":"http://MyServer/BlueCieloECM.Hyperion",
"TenantId":"MyOrg","IssuerUri":"https://auth-ci2.meridiancloud.io/auth",
"ClientId":"localhyperion","ClientSecret":"secret"}

Restart IIS.
```
iisreset
```

Configure Meridian IIS application

To configure the Meridian IIS application:

Change the application pool settings for the Meridian application pool.

If you used a standard setup, the name of the application pool is probably BCMeridian.

If you are using the user interface:
1. Select Integrated from the Managed pipeline mode field.
2. Select the .NET Framework version to be used by the application pool.
If you are using AppCmd.exe:
1. Run the following command to switch to integrated pipeline mode:
  Copy
```
appcmd set apppool "Meridian Application Pool" /managedPipelineMode:Integrated
```
2. Run the following command to set the .NET Framework version:
  Copy
```
appcmd set apppool "Meridian Application Pool" /managedRuntimeVersion:v4.0
```
To learn more about these settings, see Application Pool Defaults on Microsoft's website.
Change your Meridian Web Site settings to Anonymous authentication.

If you use AppCmd.exe, it might be necessary to unlock the sections first. If you use the user interface to make these changes, you will not have to unlock the sections.

If you are using the user interface:
- Follow the instructions on Microsoft's website.
  
  Linked above is Anonymous Authentication <anonymousAuthentication>, which is a general article which describes how anonymous authentication is configured. Further reading may be necessary.
If you are using AppCmd.exe:
- Run the following commands to change your authentication settings.
  Copy
```
appcmd set config "Default Web Site/Meridian" /section:system.webServer/security/authentication/windowsAuthentication /enabled:false /commit:appHost
appcmd set config "Default Web Site/Meridian" /section:system.webServer/security/authentication/anonymousAuthentication /enabled:true /commit:appHost
```
Open the web.config file for the Meridian web application in a text editor.
Add the following text to the <configuration\system.webServer> node:
Copy
```
<modules runAllManagedModulesForAllRequests="true" />
```

Add the following text to the <configuration> node:

Copy

<runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
     <dependentAssembly>
        <assemblyIdentity name="Microsoft.Owin" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-3.1.0.0" newVersion="3.1.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Microsoft.Owin.Security" publicKeyToken="31bf3856ad364e35" />
        <bindingRedirect oldVersion="0.0.0.0-3.1.0.0" newVersion="3.1.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Microsoft.Owin.Security.OAuth" publicKeyToken="31bf3856ad364e35" />
        <bindingRedirect oldVersion="0.0.0.0-3.1.0.0" newVersion="3.1.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Microsoft.Owin.Security.Cookies" publicKeyToken="31bf3856ad364e35" />
        <bindingRedirect oldVersion="0.0.0.0-3.0.1.0" newVersion="3.0.1.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Web.Http" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-5.2.3.0" newVersion="5.2.3.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Web.Http.Owin" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-5.2.3.0" newVersion="5.2.3.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Microsoft.Owin.Cors" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-3.1.0.0" newVersion="3.1.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.IdentityModel.Tokens.Jwt" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-4.0.20622.1351" newVersion="4.0.20622.1351" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Microsoft.IdentityModel.Protocol.Extensions" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-1.0.2.33" newVersion="1.0.2.33" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-8.0.0.0" newVersion="8.0.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Microsoft.Owin.Security.Jwt" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-3.1.0.0" newVersion="3.1.0.0" />
      </dependentAssembly>
    </assemblyBinding>
  </runtime>

Save your changes.
Restart the IIS server.
```
iisreset
```

2022 Release: Configure PowerWeb IIS application

If you are using the new PowerWeb IIS application described in the 2022 release notes, you will need to make some configuration updates.

To update your configuration:

Follow the Configure Meridian IIS application procedures above.

Make sure that the Meridian IIS application is using .NET 4.0.
Change the application pool settings for the PowerWeb application pool.

If you used a standard setup, the name of the application pool is probably BCPowerWeb.

To learn more about these settings, see Application Pool Defaults on Microsoft's website.
Set the managed pipeline mode to Integrated.
Select the .NET 4.0 Framework as the version used by the application pool.
Edit your web.config file.
In the preCondition settings in the Handlers section, change classicMode to integratedMode.

Ensure that the Meridian handler comes before the PowerWeb handler.

Usually the Meridian handler is called BlueCieloWebServiceHandler, and PowerWeb handler is called BlueCieloPowerWebHandler.

Copy

Example

<handlers accessPolicy="Read, Execute, Script">
    <add name="BlueCieloWebServiceHandler" path="weblink3.dll" verb="GET,HEAD,POST,OPTIONS" modules="IsapiModule" scriptProcessor="C:\inetpub\AMM\WebLink3.dll" resourceType="File" preCondition="integratedMode,bitness64" />
    <add name="BlueCieloPowerWebHandler" path="?*" verb="GET,HEAD,POST,OPTIONS" modules="IsapiModule" scriptProcessor="C:\inetpub\AMM\PowerWeb.dll" preCondition="integratedMode,bitness64" />
</handlers>

Save your changes.
Restart the IIS server.
```
iisreset
```

Configure remote CAD links and Site Cache Client

To ensure your remote CAD links and the Site Cache Client are properly configured:

Ensure that BlueCieloECM.BCLinkOidc.Client.dll is registered in the ...\BCMeridian\Program\BCLinkOidc\ folder after setup.

If not, then use the following command in Powershell:
Copy
```
"%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe" /codebase /tlb "BlueCieloECM.BCLinkOidc.Client.dll"
```
Ensure the settings in the bulleted list below are applied in the following registry keys:

HKEY_LOCAL_MACHINE\Software\Cyco\AutoManager Meridian\CurrentVersion\Client\BCSiteCacheAuth

HKEY_CURRENT_USER\Software\Cyco\AutoManager Meridian\CurrentVersion\Client\Settings\BCSiteCacheAuth
- UseWorkspace – dword – 00000000
- UseOpenIdConnectAuthentication – dword – 00000001
- M360Tenant – %tenant_name%
- M360Domain – meridian360.io
- IssuerUri – https://%issuer_uri_host%.meridiancloud.io/auth

In ...\BCMeridian\Program\BlueCieloECM.SiteCache.LwsClient.exe.config, add the following text to the <configuration><userSettings> node:

Copy

<setting name="IssuerUri" serializeAs="String">
    <value>https://%issuer_uri_host%.meridiancloud.io/auth</value>
</setting>
<setting name="M360Domain" serializeAs="String">
    <value>meridian360.io</value>
</setting>
<setting name="ClientId" serializeAs="String">
    <value>meridianlwsclient</value>
</setting>
<setting name="ClientSecret" serializeAs="String">
    <value>gSJtqpBn5yG8y4tR</value>
</setting>

Set the following values in the C:\ProgramData\BlueCieloECM\SiteCache\SiteCacheSettings.dat file:
- IssuerUri – https://%issuer_uri_host%.meridiancloud.io/auth
- UseOpenIdConnectAuthentication – true
Open the Internet Information Services (IIS) Manager.
Navigate to Sites > Default Web Site > BCSiteCache > Authentication.
Disable Windows Authentication.
Enable Anonymous Authentication.