Cinchy v4.0

Installation

1. Create a Database

On your SQL Server 2012+ instance, create a new database named Cinchy (or any other name you prefer). If you choose an alternate name, in the remaining instructions wherever the database name is referenced, replace the word Cinchy with the name you chose.

A single user account with db_owner privileges is required for the Cinchy application to connect to the database. If you choose to use Windows Authentication instead of SQL Server Authentication, the account that is granted access must be the same account under which the IIS Application Pool runs.

2. Create an IIS Application Pool

On the Windows Server machine, launch an instance of PowerShell as Administrator.

Run the below commands to create the application pool and set its properties.

Import-Module WebAdministration
$applicationPoolNameSSO="CinchySSO"
$applicationPoolNameWeb="CinchyWeb"
New-WebAppPool -Name $applicationPoolNameSSO
$appPath = "IIS:\AppPools\"+ $applicationPoolNameSSO
$appPool = Get-IISAppPool $applicationPoolNameSSO
$appPool.managedRuntimeVersion = ""
Set-ItemProperty -Path $appPath -Name managedRuntimeVersion $appPool.managedRuntimeVersion
Set-ItemProperty "IIS:\AppPools\$applicationPoolNameSSO" -Name Recycling.periodicRestart.time -Value 0.00:00:00
Set-ItemProperty "IIS:\AppPools\$applicationPoolNameSSO" -Name ProcessModel.idleTimeout -Value 1.05:00:00
New-WebAppPool -Name $applicationPoolNameWeb
Set-ItemProperty "IIS:\AppPools\$applicationPoolNameWeb" -Name Recycling.periodicRestart.time -Value 0.00:00:00
Set-ItemProperty "IIS:\AppPools\$applicationPoolNameWeb" -Name ProcessModel.idleTimeout -Value 1.05:00:00

If you chose to use Windows Authentication in the database or want to run the application under a different user account, execute the below commands to change the application pool identity.

$credentials = (Get-Credential -Message "Please enter the Login credentials including your Domain Name").GetNetworkCredential()
$userName = $credentials.Domain + '\' + $credentials.UserName
Set-ItemProperty "IIS:\AppPools\$applicationPoolNameWeb" -name processModel.identityType -Value SpecificUser
Set-ItemProperty "IIS:\AppPools\$applicationPoolNameWeb" -name processModel.userName -Value $username
Set-ItemProperty "IIS:\AppPools\$applicationPoolNameWeb" -name processModel.password -Value $credentials.Password
Set-ItemProperty "IIS:\AppPools\$applicationPoolNameSSO" -name processModel.identityType -Value SpecificUser
Set-ItemProperty "IIS:\AppPools\$applicationPoolNameSSO" -name processModel.userName -Value $username
Set-ItemProperty "IIS:\AppPools\$applicationPoolNameSSO" -name processModel.password -Value $credentials.Password

You may use an alternate application pool name (i.e. instead of Cinchy) if you prefer.

3. Create the Application Directories

  1. Unzip the application package on your C drive. This will create 2 directories, C:\Cinchy and C:\CinchySSO. Ensure your application pool accounts has read and execute access to these directories (default accounts are IIS AppPool\CinchyWeb and IIS AppPool\CinchySSO).

  2. Run the below commands in the Administrator instance of PowerShell to create directories for the application logs. Ensure your application pool account has write access to these directories.

md C:\CinchyLogs\Cinchy
md C:\CinchyLogs\CinchySSO
md C:\CinchyErrors

4. Update the CinchySSO appsettings.json

Open the C:\CinchySSO\appsettings.json file in a text editor and update the values below.

Config Settings

App Settings

Under AppSettings section, update the values outlined in the table. Wherever you see <base url> in the value, replace this with the actual protocol (i.e. http or https) and the domain name (or ip address) you plan to use. e.g. if you're using https with the domain app.cinchy.co, <base url> should be replaced with https://app.cinchy.co

Key

Value

CinchyLoginRedirectUri

<base url>/Cinchy/Account/LoginRedirect

CinchyPostLogoutRedirectUri

<base url>/Cinchy

CertificatePath

C:\\CinchySSO\\cinchyidentitysrv.pfx

StsPublicOriginUri

Base URL used by the .well-known discovery. If left blank will match the request URL.

<base url>/cinchysso

IssuerUrl

The URL of the issuer. This value defaults to the StsPublicOriginUrl and will be used as the issuer of tokens issued by CinchySSO.

<base url>/cinchysso

CinchyAccessTokenLifetime

Duration for the Cinchy Access Token. Timespan, defaults to "0.00:30:00"

4.18.0+ includes session expiration based on the CinchyAccessTokenLifetime. So for the default of "0.00:30:00", this means that if you have been inactive in Cinchy for 30 minutes, your session will expire and you will need to log in again.

Below values are only required for SSO, otherwise leave them as blank

Key

Value

SAMLClientEntityId

Client Entity Id

SAMLIDPEntityId

Identity Provider Entity Id

SAMLMetadataXmlPath

Identity Provider metadata XML file path

SAMLSSOServiceURL

Configure service endpoint for SAML authentication

AcsURLModule

This parameter is needs to be configured as per your SAML ACS URL. For example, if your ACS URL looks like this - "https:///CinchySSO/identity/AuthServices/Acs", then the value of this parameter should be "/identity/AuthServices"

Connection String

Under the "ConnectionStrings" section you'll see 

"SqlServer" : ""

The "SqlServer" value needs to be set for the application to connect to the database. If you're using SQL Server Authentication you can use the below as a reference and update the Server, User Id, and Password properties. If you chose a different database name earlier, you'll need to update that as well.

"SqlServer" : "Server=MyServer;Database=Cinchy;User ID=cinchy;Password=password;Trusted_Connection=False;Connection Timeout=30;Min Pool Size=10;"

If you're using Windows Authentication, then use the below as a reference and update the Server property (and Database if required).

"SqlServer" : "Server=MyServer;Database=Cinchy;Trusted_Connection=True;Connection Timeout=30;Min Pool Size=10;"

External Identity Claim Section

Under the "ExternalIdentityClaimSection" section you'll see, these values are used for SAML SSO. If you are not using SSO, keep these values as blank

Key

Value

ExternalIdentityClaim -> FirstName -> ExternalClaimName

ExternalIdentityClaim -> LastName -> ExternalClaimName

ExternalIdentityClaim -> Email -> ExternalClaimName

ExternalIdentityClaim -> MemberOf -> ExternalClaimName

Log4net.config and Web.config

The log folder is required to be configured under log4net.config and web.config files. Please make sure the identity under which the application pool is running has access to the log and certificate folders as configured.

Under the log4net.config, you'll see a RollingLogFileAppender section, and within that you need to update the value of <file> tag as below

<file value="C:\CinchyLogs\CinchySSO\log.txt" />

Under web.config, update "stdoutLogFile" value to "C:\CinchyLogs\CinchySSO\stdout" under "aspNetCore" tag. Also, update the value of "ASPNETCORE_ENVIRONMENT" to "Production".

5. Update the Cinchy Web.Config

Open the C:\Cinchy\Web.config file in a text editor and update the sections outlined below.

Connection String

Under the <connectionStrings> section you'll see 

<add name="SqlServer" connectionString="" />

Replace this with the same connection string value you set in the C:\CinchySSO\appsettings.json file.

Application Settings

Under the <appSettings> section, update the values outlined in the table. Wherever you see <base url> in the value, replace this with the actual protocol (i.e. http or https) and the domain name (or ip address) you plan to use. e.g. if you're using https with the domain app.cinchy.co, <base url> should be replaced with https://app.cinchy.co

Key

Value

SSOLogPath

C:\CinchyLogs\CinchySSO\log.txt

UseHttps

true or false (based on whether you are using https in your base url)

StsAuthorityUri

Should match the StsPublicOriginUri value specified in the SSO appsettings above.

<base url>/cinchysso

StsRedirectUri

<base url>/Cinchy/Account/LoginRedirect

For StsAuthorityUri - Please make sure the sitename and cinchysso is in lower case. The same URL will be used for Applet's authority config.

Log File Path

Under the <log4net> section you'll see a RollingLogFileAppender, and within that is the following line

<file value="logs\log.txt" />

Replace the value attribute with the target log file location:

<file value="C:\CinchyLogs\Cinchy\log.txt" />

Under the <elmah> section you'll see

<errorLog type="Elmah.XmlFileErrorLog, Elmah" logPath="~/App_Data" />

Replace the logPath attribute with the target error log location:

<errorLog type="Elmah.XmlFileErrorLog, Elmah" logPath="C:\CinchyErrors" />

6. Create the IIS Applications

In the Administrator instance of PowerShell, execute the below commands to create the IIS applications and enable anonymous authentication (required to allow authentication to be handled by the application).

New-WebApplication -Name Cinchy -Site 'Default Web Site' -PhysicalPath C:\Cinchy -ApplicationPool CinchyWeb
New-WebApplication -Name CinchySSO -Site 'Default Web Site' -PhysicalPath C:\CinchySSO -ApplicationPool CinchySSO
Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/anonymousAuthentication" -Name Enabled -Value True -PSPath IIS:\ -Location "Default Web Site"

To enable HTTPS, the server certificate must be loaded and the standard IIS configuration completed at the Web Site level to add the binding.

7. Test the Application

Access the <base url>/Cinchy (e.g. http://app.cinchy.co/Cinchy) through Google Chrome. The login screen should appear. The default username is admin and the password is cinchy. You will be prompted to change your password the first time you log in.

To avoid users from having to access the application at a url that contains /Cinchy, you can use a downloadable IIS extension called URL Rewrite to remap requests hitting the <base url> to <base url>/Cinchy. The extension is available here.

PreviousPre-RequisitesNextMaintenance

Last updated