Devolutions Hub's encryption service streamlines access to your Hub by eliminating the requirement to individually invite each user from your SSO provider. This feature can be enabled in your Hub under Administration – Authentication – Encryption service.
Requirements
To enable and configure your encryption service, the following prerequisites are necessary:
- A configured and active Single Sign-On (SSO) setup.
- An application identity in your Hub.
- A trusted SSL certificate.
- A reachable network port within the local network and, if applicable, from the internet.
- An active Azure services subscription (if you set up your encryption service using the recommended Azure template method).
- A self-hosted server to install the Devolutions Hub Services (if you set up your encryption service using the Devolutions Hub Services method).
Application identity permissions
Create an application identity and assign it the following system permissions:
- Manage users and user groups
- Manage system configuration (includes system permissions, system settings, and IP allowlists)
Azure services subscription
If you are setting up your encryption service using an Azure template, which is the recommended method (see the instructions below), you need to have a subscription to Azure services. If you do not have one, first follow these instructions:
- Log in to your Microsoft Azure Portal account.
- Select Subscriptions in the Azure services. If you do not see it, search for it in the search bar at the top of the page or click on More services to show other services. This service can be found under the Management and governance services category.
Subscriptions - Click Add then select the Pay-As-You-Go subscription offer.
Pay-As-You-Go offer - Enter the required information and sign up to the service.
Encryption service setup
Encryption service setup using an Azure template (recommended)
Using an Azure template to configure the encryption service is the recommended method as it is the simpler and more straightforward approach and helps prevent unnecessary complications. Verify that all requirements are fulfilled before moving forward.
- In Devolutions Hub Business, go to Administration – Authentication – Encryption service and click on Generate Azure template.
Administration – Authentication – Encryption service – Generate Azure template - Copy the generated template.
Copy the template - On the Microsoft Azure Portal home page, select Deploy a custom template in the Azure services. If you do not see it, search for it in the search bar at the top of the page or click on More services to show other services. This service can be found under the General services category.
Deploy a custom template - Click on Build your own template in the editor.
Build your own template in the editor - Paste the generated Azure template you obtained from Devolutions Hub into the Azure template editor, replacing any pre-existing content within the editor.
Paste the Azure template - Click Save.
- On the Custom deployment page, configure your information as outlined below:
- Subscription: Select a subscription if none is selected.
- Resource group: Select or create a resource group if none is selected.
- App Name and App Service Plan Name: Leave the default names or change them according to your preferences.
- Hub URL: Ensure that it is set to the URL of your Devolutions Hub Business.
- Application Identity Key and Application Identity Secret: Enter your application identity key and secret in the corresponding fields. Your application identity should have the Manage system configuration and Manage users and user groups permissions, as stated in Application identity permission.
Custom deployment configuration
- Click on Review + create.
- Click on Create.
Create the custom deplyoment - Upon completion of the deployment, which may take a couple seconds, click on Go to resource group.
Go to resource group - Select your new App Service in the list.
App Service - Copy the given Default domain (https://your-app-name.azurewebsites.net) or the Custom domain (https://yourdomain.com) if you decided to create one.
Copy the default or custom domain - Add this domain to the list of redirect URIs in your enterprise application. Follow the instructions below to guide you through this process:
- Go back to the Microsoft Azure Portal home page and select Enterprise applications in the Azure services. If you do not see it, click on More services to show other services.
Enterprise applications - Select your application from the list.
- In the left menu, click on Properties.
Porperties of the application - In the text at the top of the page, click on application registration.
Application registration - In the left menu, click on Authentication.
- Click on Add URI and paste the domain in the redirect URI field.
Add URI - Click Save.
- Go back to the Microsoft Azure Portal home page and select Enterprise applications in the Azure services. If you do not see it, click on More services to show other services.
- In Devolutions Hub, go back to Administration – Authentication – Encryption service and enable the encryption service if not already done.
- Paste your default or custom domain in the Encryption Service URL field. This is where the encryption service will listen for incoming requests. This URL or IP address only needs to be reachable by clients logging in using the encryption service.
Paste the domain - Test the connection. If the connection fails, check the validity of the information you have entered and try again. If you are still experiencing connection problems, please contact our help desk technicians at service@devolutions.net.
All users from your SSO provider can now log in and gain access to your Devolutions Hub automatically, bypassing the need for invitations. It is also not necessary for users to have a private key set up to use the Hub. The server operates on a self-hosted basis; it therefore plays a vital role in the infrastructure. Should the server experience downtime or fail to run, users lacking private keys will encounter issues connecting to the Hub.
Encryption service setup with the Devolutions Hub Services
Using an Azure template to configure the encryption service is the recommended method as it is the simpler and more straightforward approach and helps prevent unnecessary complications. Nonetheless, if you wish to use the following Devolutions Hub Services method, verify that all requirements are fulfilled before moving forward.
- Download the Devolutions Hub Services and launch the installer.
- Click Next to continue past the welcome page.
Devolutions Hub Services setup wizard welcome page - Read and accept the terms in the License Agreement, then click Next.
Accept the terms in the License Agreement - Under Custom Setup, select Encryption, then click Next.
Install the encryption feature - Enter the following information in the corresponding fields:
- the Host, which is the URL of your Devolutions Hub.
- the Application secret and Application key, which were provided to you when the application identity was initially created.
- Click on Test Connection. You should receive a message indicating that the connection was successful. If this is not the case, check the validity of the information you have entered and try again. If you are still experiencing connection problems, please contact our help desk technicians at service@devolutions.net.
Test Connection - Click Next.
- Enter the URL (HTTPS is mandatory) and Port number where the encryption service will listen for incoming requests. Ensure the port is configured to be reachable.
- Search for your Certificate and select it. If your certificate is protected with a password, enter it in Certificate Password.
URL, port, and certificate - Click Next.
The installation process should now begin.