Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
organisationcloud/saml [2020_01_02 17:19] – smeadmin | organisationcloud/saml [2020_01_03 15:32] – Azure SAML added eric | ||
---|---|---|---|
Line 45: | Line 45: | ||
- | ===== Configuring with ADFS ===== | + | ===== Configuring with ADFS - Local AD ===== |
From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar. | From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar. | ||
Line 169: | Line 169: | ||
* User Phone Field => phone | * User Phone Field => phone | ||
+ | ===== Configuring with ADFS - Azure AD ===== | ||
+ | |||
+ | === Setup Azure SAML App === | ||
+ | |||
+ | As an administrative user, log into the Azure portal: https:// | ||
+ | |||
+ | Search and enter the page for " | ||
+ | {{ :: | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | On the next screen we will name the application something like // | ||
+ | |||
+ | Now that the application is created, we will enable SAML for single sign-on. | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | In "Basic SAML Configuration" | ||
+ | |||
+ | Identifier (Entity ID): File Fabric URL - ex: https:// | ||
+ | |||
+ | Reply URL (Assertion Consumer Service URL): ex: https:// | ||
+ | |||
+ | Next we will setup Group Claims. | ||
+ | |||
+ | Select "All Groups" | ||
+ | " | ||
+ | |||
+ | Once this is set, we will copy and save the URLs | ||
+ | {{ :: | ||
+ | |||
+ | Next we will download the Certificate (Base64) from the "SAML Signing Certificate" | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | Next we will make sure we have added the correct users and/or groups to the Enterprise Application. (only users/ | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | Finally, we will ensure we are passing all the correct attributes that the File Fabric Needs. | ||
+ | |||
+ | In the "User Attributes & Claims" | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | === Setup Graph API === | ||
+ | |||
+ | In order to get the correct group names from ADFS, we will need to enable the Azure Graph API. | ||
+ | |||
+ | In App Registrations, | ||
+ | |||
+ | Once created, we will edit the API permissions, | ||
+ | |||
+ | In the Request API Permissions screen, we will select: | ||
+ | Azure Active Directory Graph > Application permissions > Directory.Read.All | ||
+ | And hit "Add permissions" | ||
+ | |||
+ | Now we will gather the credentials. | ||
+ | In " | ||
+ | |||
+ | In " | ||
+ | |||
+ | === Setup File Fabric Auth System === | ||
+ | |||
+ | As an Org admin, we will now enable SAML Authentication. | ||
+ | Click on: Organization > SAML 2 | ||
+ | |||
+ | Fill in the following details: | ||
+ | |||
+ | __Auth System Name__ - Azure SAML | ||
+ | |||
+ | __Login Button label__ - This text field will be what is displayed in the login button on the File Fabric login page. Use something that the users will understand like “Login with Microsoft Azure” | ||
+ | |||
+ | __The service provider entity ID__ - Enter the "Azure AD Identifier" | ||
+ | |||
+ | __SSO Entry point__ - Enter the "Login URL" you saved from the Azure Enterprise Application SAML App setup screen above | ||
+ | |||
+ | __Logout Service Endpoint__ - Enter the " | ||
+ | |||
+ | __Certificate Data__ - Enter the certificate text you downloaded from the Azure Enterprise Application SAML App setup screen above | ||
+ | |||
+ | __Fetch User Role\Group Name by id__ - Check | ||
+ | |||
+ | __Azure AD Application ID__ - Enter the GraphAPI " | ||
+ | |||
+ | __Azure AD Application Key__ - Enter the " | ||
+ | |||
+ | __Auto create user on login__ - Check if you would like users to be auto provisioned when logging in via SAML | ||
+ | |||
+ | __Update user roles/ | ||
+ | |||
+ | __Update user info on login__ - Check to update all user information on SAML login | ||
+ | __User Import Fields__ | ||
+ | |||
+ | Ensure the following mappings are set: | ||
+ | |||
+ | Unique user attribute > user | ||
+ | |||
+ | User login field > user | ||
+ | |||
+ | User Name field > fullname | ||
+ | |||
+ | User email field > mail | ||
+ | |||
+ | Role\Group name field > groups | ||
+ | |||
+ | User Phone field > phone | ||
+ | |||
+ | {{ :: | ||
+ | {{ :: | ||
===== Configuring with G Suite (Google) ===== | ===== Configuring with G Suite (Google) ===== | ||
Line 276: | Line 386: | ||
===== Configuring with Okta ===== | ===== Configuring with Okta ===== | ||
- | From your Administrative | + | From your Okta's Administrative |
For the **Platform** option, select **Web**. | For the **Platform** option, select **Web**. | ||
Line 284: | Line 394: | ||
Then click **Create**. | Then click **Create**. | ||
- | On the next screen we need to supply some basic information for the application. | + | On the next screen, we need to supply some basic information for the application. |
For the **App Name**, provide a friendly name for the SME service, e.g. **Enterprise File Fabric**. Optionally you can also provide an **App logo** that users would recognize. | For the **App Name**, provide a friendly name for the SME service, e.g. **Enterprise File Fabric**. Optionally you can also provide an **App logo** that users would recognize. | ||
Line 292: | Line 402: | ||
On the **SAML settings** screen we want to configure the fields as follows: | On the **SAML settings** screen we want to configure the fields as follows: | ||
- | * __Single sign on URL__ - This should be the URI of your SME appliance, appended by "/ | + | * __Single sign on URL__ - This should be the URI of your Enterprise File Fabric |
- | * __Audience URI__ - This should be the URI of your SME Appliance, e.g. " | + | * __Audience URI__ - This should be the URI of your Enterprise File Fabric appliance, e.g. " |
* __Default RelayState__ - This should be left blank | * __Default RelayState__ - This should be left blank | ||
* __Name ID format__ - Select Email Address | * __Name ID format__ - Select Email Address | ||
Line 303: | Line 413: | ||
* In **Single Logout URL** enter the value you entered in **Audience URI** | * In **Single Logout URL** enter the value you entered in **Audience URI** | ||
* In **SP Issuer** enter the value you entered in **Audience URI** | * In **SP Issuer** enter the value you entered in **Audience URI** | ||
- | * From the **Signature Certificate** upload the Signing Certificate that can be obtained from your File Fabric Auth System configuration screen. | + | * From the **Signature Certificate** upload the Signing Certificate that can be obtained from your Enterprise |
Under **Attribute Statements** configure the mappings as follows: | Under **Attribute Statements** configure the mappings as follows: | ||
Line 311: | Line 421: | ||
* Name " | * Name " | ||
- | Under **Group Attribute Statements**, | + | Under **Group Attribute Statements**, |
- | A Groups Entry will need to be added with a name of " | + | A Groups Entry will need to be added with a name of " |
* Contains: IT - Matches groups containing the word " | * Contains: IT - Matches groups containing the word " | ||
Line 321: | Line 431: | ||
On the **Application Details** screen, under **Sign On**, click the **View Setup Instructions** button. | On the **Application Details** screen, under **Sign On**, click the **View Setup Instructions** button. | ||
- | |||
On the File Fabric SAML Auth System screen, enter the following values: | On the File Fabric SAML Auth System screen, enter the following values: | ||
Line 327: | Line 436: | ||
* The Service provider entity ID - The URI entered earlier from the **Audience URI** field | * The Service provider entity ID - The URI entered earlier from the **Audience URI** field | ||
* SSO entry point - Enter the **Identity Provider Single Sign-On URL** found on the Okta setup instructions screen | * SSO entry point - Enter the **Identity Provider Single Sign-On URL** found on the Okta setup instructions screen | ||
- | * The logout service endpoint - Enter the **Identity Provider Single Logout URL** found on the Okta setup instructions screen. | + | * The logout service endpoint - Enter the **Identity Provider Single Logout URL** found on the Okta setup instructions screen. |
* x509 Certificate - Enter the **X.509 Certificate** found on the Oka setup instructions screen | * x509 Certificate - Enter the **X.509 Certificate** found on the Oka setup instructions screen | ||
Before users are able to access the Okta application, | Before users are able to access the Okta application, | ||
+ | |||
+ | Your Okta setup with the Enterprise File Fabric is now complete. | ||