Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
organisationcloud/saml [2020_01_02 17:19] smeadminorganisationcloud/saml [2020_01_03 15:32] – Azure SAML added eric
Line 45: Line 45:
  
  
-===== Configuring with ADFS =====+===== Configuring with ADFS - Local AD =====
  
 From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar.  From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar. 
Line 169: Line 169:
   * User Phone Field => phone   * User Phone Field => phone
  
 +===== Configuring with ADFS - Azure AD =====
 +
 +=== Setup Azure SAML App ===
 +
 +As an administrative user, log into the Azure portal: https://portal.azure.com/
 +
 +Search and enter the page for "Enterprise Applications", Add a New Application, and select Non-gallery Application. 
 +{{ ::enterprise_application.png?600 |}}
 +
 +{{ ::non_gallery_app.png?200 |}}
 +
 +On the next screen we will name the application something like //Enterprise File Fabric// for the "Name" section. 
 +
 +Now that the application is created, we will enable SAML for single sign-on. 
 +
 +{{ ::enterprise_application_sso.png?600 |}}
 +
 +In "Basic SAML Configuration" we will enter the following URLs, which point to your File Fabric instance. 
 +
 +Identifier (Entity ID): File Fabric URL - ex: https://filefabric.fileserverapp.com/
 +
 +Reply URL (Assertion Consumer Service URL): ex: https://filefabric.fileserverapp.com/saml.htm
 +
 +Next we will setup Group Claims.
 +
 +Select "All Groups" as which groups should be returned in the claim. 
 +"Source Attribute" should be set to "Group ID".
 +
 +Once this is set, we will copy and save the URLs 
 +{{ ::azureadfs_setup_urls.png?600 |}}
 +
 +Next we will download the Certificate (Base64) from the "SAML Signing Certificate" section. 
 +
 +{{ ::azureadfs_downloadcert.png?600 |}}
 +
 +Next we will make sure we have added the correct users and/or groups to the Enterprise Application. (only users/groups enetered here will be able to log into the File Fabric via this SAML integration)
 +
 +{{ ::azureadfs_usersandgroups.png?600 |}}
 +
 +Finally, we will ensure we are passing all the correct attributes that the File Fabric Needs. 
 +
 +In the "User Attributes & Claims" we'll add a new claim and make sure all the claims below are entered: 
 +
 +{{ ::azureadfs_userclaims.png?600 |}}
 +
 +=== Setup Graph API ===
 +
 +In order to get the correct group names from ADFS, we will need to enable the Azure Graph API. 
 +
 +In App Registrations, create a "New registration", naming it something like "EFF GraphAPI".
 +
 +Once created, we will edit the API permissions, and "Add A Permission"
 +
 +In the Request API Permissions screen, we will select: 
 +Azure Active Directory Graph > Application permissions >  Directory.Read.All
 +And hit "Add permissions"
 +
 +Now we will gather the credentials. 
 +In "Overview", copy the "Application (client) ID".
 +
 +In "Certificates & Secrets", click "New client secret" in "Clients Secrets" section. Set Description to something like "EFF" and decide when it expires. Now copy the new Value added in the Client Secrets section. 
 +
 +=== Setup File Fabric Auth System ===
 +
 +As an Org admin, we will now enable SAML Authentication. 
 +Click on: Organization > SAML 2
 +
 +Fill in the following details:
 +
 +__Auth System Name__ - Azure SAML
 +
 +__Login Button label__ - This text field will be what is displayed in the login button on the File Fabric login page. Use something that the users will understand like “Login with Microsoft Azure”
 +
 +__The service provider entity ID__ - Enter the "Azure AD Identifier" you saved from the Azure Enterprise Application SAML App setup screen above
 +
 +__SSO Entry point__ - Enter the "Login URL" you saved from the Azure Enterprise Application SAML App setup screen above
 +
 +__Logout Service Endpoint__ - Enter the "Logout URL" you saved from the Azure Enterprise Application SAML App setup screen above
 +
 +__Certificate Data__ - Enter the certificate text you downloaded from the Azure Enterprise Application SAML App setup screen above
 +
 +__Fetch User Role\Group Name by id__ - Check
 +
 +__Azure AD Application ID__ - Enter the GraphAPI "Application (client) ID" saved from above
 +
 +__Azure AD Application Key__ - Enter the "Clients Secrets" value saved from above
 +
 +__Auto create user on login__ - Check if you would like users to be auto provisioned when logging in via SAML
 +
 +__Update user roles/groups on login__ - Check if you would like File Fabric roles to be updated on user login
 +
 +__Update user info on login__ - Check to update all user information on SAML login
 +__User Import Fields__
 +
 +Ensure the following mappings are set:
 +
 +Unique user attribute > user
 +
 +User login field > user
 +
 +User Name field > fullname
 +
 +User email field > mail
 +
 +Role\Group name field > groups
 +
 +User Phone field > phone 
 +
 +{{ ::azureadfs_authsystem1.png?600 |}}
 +{{ ::azureadfs_authsystem2.png?600 |}}
 ===== Configuring with G Suite (Google) ===== ===== Configuring with G Suite (Google) =====
  
Line 276: Line 386:
 ===== Configuring with Okta ===== ===== Configuring with Okta =====
  
-From your Administrative Okta account, click on **Applications** from the top menu, and then click **Add Application**. From the left menu click on the **Create New App** button. +From your Okta's Administrative account, click on **Applications** from the top menu, and then click **Add Application**. From the left menu click on the **Create New App** button. 
  
 For the **Platform** option, select **Web**.  For the **Platform** option, select **Web**. 
Line 284: Line 394:
 Then click **Create**.  Then click **Create**. 
  
-On the next screen we need to supply some basic information for the application. +On the next screenwe need to supply some basic information for the application. 
  
 For the **App Name**, provide a friendly name for the SME service, e.g. **Enterprise File Fabric**. Optionally you can also provide an **App logo** that users would recognize.  For the **App Name**, provide a friendly name for the SME service, e.g. **Enterprise File Fabric**. Optionally you can also provide an **App logo** that users would recognize. 
Line 292: Line 402:
 On the **SAML settings** screen we want to configure the fields as follows: On the **SAML settings** screen we want to configure the fields as follows:
  
-  * __Single sign on URL__ - This should be the URI of your SME appliance, appended by "/saml.htm". For example "https://sme.example.com/saml.htm" +  * __Single sign on URL__ - This should be the URI of your Enterprise File Fabric appliance, appended by "/saml.htm". For example "https://sme.example.com/saml.htm" 
-  * __Audience URI__ - This should be the URI of your SME Appliance, e.g. "https://sme.example.com"+  * __Audience URI__ - This should be the URI of your Enterprise File Fabric appliance, e.g. "https://sme.example.com"
   * __Default RelayState__ - This should be left blank   * __Default RelayState__ - This should be left blank
   * __Name ID format__ - Select Email Address   * __Name ID format__ - Select Email Address
Line 303: Line 413:
   * In **Single Logout URL** enter the value you entered in **Audience URI**   * In **Single Logout URL** enter the value you entered in **Audience URI**
   * In **SP Issuer** enter the value you entered in **Audience URI**   * In **SP Issuer** enter the value you entered in **Audience URI**
-  * From the **Signature Certificate** upload the Signing Certificate that can be obtained from your File Fabric Auth System configuration screen. +  * From the **Signature Certificate** upload the Signing Certificate that can be obtained from your Enterprise File Fabric appliance Auth System configuration screen. 
  
 Under **Attribute Statements** configure the mappings as follows:  Under **Attribute Statements** configure the mappings as follows: 
Line 311: Line 421:
   * Name "username", Name format "basic", Value "user.login"   * Name "username", Name format "basic", Value "user.login"
  
-Under **Group Attribute Statements**, you will need to [choose which groups need to be exposed to the File Fabric](https://help.okta.com/en/prod/Content/Topics/Apps/attribute-statements-saml.htm). +Under **Group Attribute Statements**, you will need to [choose which groups need to be exposed to the Enterprise File Fabric](https://help.okta.com/en/prod/Content/Topics/Apps/attribute-statements-saml.htm). 
  
-A Groups Entry will need to be added with a name of "groups". The Value is dependant on what you would like to expose to the File Fabric. Some examples are below:+A Groups Entry will need to be added with a name of "groups". The Value is dependant on what you would like to expose to the Enterprise File Fabric. Some examples are below:
  
   * Contains: IT - Matches groups containing the word "IT"   * Contains: IT - Matches groups containing the word "IT"
Line 321: Line 431:
  
 On the **Application Details** screen, under **Sign On**, click the **View Setup Instructions** button.  On the **Application Details** screen, under **Sign On**, click the **View Setup Instructions** button. 
- 
  
 On the File Fabric SAML Auth System screen, enter the following values: On the File Fabric SAML Auth System screen, enter the following values:
Line 327: Line 436:
   * The Service provider entity ID - The URI entered earlier from the **Audience URI** field   * The Service provider entity ID - The URI entered earlier from the **Audience URI** field
   * SSO entry point - Enter the **Identity Provider Single Sign-On URL** found on the Okta setup instructions screen   * SSO entry point - Enter the **Identity Provider Single Sign-On URL** found on the Okta setup instructions screen
-  * The logout service endpoint - Enter the **Identity Provider Single Logout URL** found on the Okta setup instructions screen. +  * The logout service endpoint - Enter the **Identity Provider Single Logout URL** found on the Okta setup instructions screen.
   * x509 Certificate - Enter the **X.509 Certificate** found on the Oka setup instructions screen   * x509 Certificate - Enter the **X.509 Certificate** found on the Oka setup instructions screen
  
 Before users are able to access the Okta application, Users or Groups must be assigned the application for it to be available to them.  Before users are able to access the Okta application, Users or Groups must be assigned the application for it to be available to them. 
 +
 +Your Okta setup with the Enterprise File Fabric is now complete. 
  
© Copyright 2024 Nasuni.