Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | Next revisionBoth sides next revision | ||
organisationcloud/saml [2020_01_02 17:33] – smeadmin | organisationcloud/saml [2020_01_03 15:32] – Azure SAML added eric | ||
---|---|---|---|
Line 45: | Line 45: | ||
- | ===== Configuring with ADFS ===== | + | ===== Configuring with ADFS - Local AD ===== |
From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar. | From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar. | ||
Line 169: | Line 169: | ||
* User Phone Field => phone | * User Phone Field => phone | ||
+ | ===== Configuring with ADFS - Azure AD ===== | ||
+ | |||
+ | === Setup Azure SAML App === | ||
+ | |||
+ | As an administrative user, log into the Azure portal: https:// | ||
+ | |||
+ | Search and enter the page for " | ||
+ | {{ :: | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | On the next screen we will name the application something like // | ||
+ | |||
+ | Now that the application is created, we will enable SAML for single sign-on. | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | In "Basic SAML Configuration" | ||
+ | |||
+ | Identifier (Entity ID): File Fabric URL - ex: https:// | ||
+ | |||
+ | Reply URL (Assertion Consumer Service URL): ex: https:// | ||
+ | |||
+ | Next we will setup Group Claims. | ||
+ | |||
+ | Select "All Groups" | ||
+ | " | ||
+ | |||
+ | Once this is set, we will copy and save the URLs | ||
+ | {{ :: | ||
+ | |||
+ | Next we will download the Certificate (Base64) from the "SAML Signing Certificate" | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | Next we will make sure we have added the correct users and/or groups to the Enterprise Application. (only users/ | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | Finally, we will ensure we are passing all the correct attributes that the File Fabric Needs. | ||
+ | |||
+ | In the "User Attributes & Claims" | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | === Setup Graph API === | ||
+ | |||
+ | In order to get the correct group names from ADFS, we will need to enable the Azure Graph API. | ||
+ | |||
+ | In App Registrations, | ||
+ | |||
+ | Once created, we will edit the API permissions, | ||
+ | |||
+ | In the Request API Permissions screen, we will select: | ||
+ | Azure Active Directory Graph > Application permissions > Directory.Read.All | ||
+ | And hit "Add permissions" | ||
+ | |||
+ | Now we will gather the credentials. | ||
+ | In " | ||
+ | |||
+ | In " | ||
+ | |||
+ | === Setup File Fabric Auth System === | ||
+ | |||
+ | As an Org admin, we will now enable SAML Authentication. | ||
+ | Click on: Organization > SAML 2 | ||
+ | |||
+ | Fill in the following details: | ||
+ | |||
+ | __Auth System Name__ - Azure SAML | ||
+ | |||
+ | __Login Button label__ - This text field will be what is displayed in the login button on the File Fabric login page. Use something that the users will understand like “Login with Microsoft Azure” | ||
+ | |||
+ | __The service provider entity ID__ - Enter the "Azure AD Identifier" | ||
+ | |||
+ | __SSO Entry point__ - Enter the "Login URL" you saved from the Azure Enterprise Application SAML App setup screen above | ||
+ | |||
+ | __Logout Service Endpoint__ - Enter the " | ||
+ | |||
+ | __Certificate Data__ - Enter the certificate text you downloaded from the Azure Enterprise Application SAML App setup screen above | ||
+ | |||
+ | __Fetch User Role\Group Name by id__ - Check | ||
+ | |||
+ | __Azure AD Application ID__ - Enter the GraphAPI " | ||
+ | |||
+ | __Azure AD Application Key__ - Enter the " | ||
+ | |||
+ | __Auto create user on login__ - Check if you would like users to be auto provisioned when logging in via SAML | ||
+ | |||
+ | __Update user roles/ | ||
+ | |||
+ | __Update user info on login__ - Check to update all user information on SAML login | ||
+ | __User Import Fields__ | ||
+ | |||
+ | Ensure the following mappings are set: | ||
+ | |||
+ | Unique user attribute > user | ||
+ | |||
+ | User login field > user | ||
+ | |||
+ | User Name field > fullname | ||
+ | |||
+ | User email field > mail | ||
+ | |||
+ | Role\Group name field > groups | ||
+ | |||
+ | User Phone field > phone | ||
+ | |||
+ | {{ :: | ||
+ | {{ :: | ||
===== Configuring with G Suite (Google) ===== | ===== Configuring with G Suite (Google) ===== | ||