Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
organisationcloud/saml [2020_01_03 15:32] – Azure SAML added eric | organisationcloud/saml [2020_11_24 20:57] – smeadmin | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== SAML 2.0 and the SME Enterprise File Fabric ====== | ====== SAML 2.0 and the SME Enterprise File Fabric ====== | ||
- | last updated | + | last updated |
The Enterprise File Fabric supports users logging-in via the SAML 2.0 protocol. The SAML 2.0 protocol is increasing in popularity, and there are a number of different flavours and variations provided by different identity providers (IDPs), like Active Directory Federation Services (ADFS) and Google Suite (GSuite). | The Enterprise File Fabric supports users logging-in via the SAML 2.0 protocol. The SAML 2.0 protocol is increasing in popularity, and there are a number of different flavours and variations provided by different identity providers (IDPs), like Active Directory Federation Services (ADFS) and Google Suite (GSuite). | ||
Line 175: | Line 175: | ||
As an administrative user, log into the Azure portal: https:// | As an administrative user, log into the Azure portal: https:// | ||
- | Search and enter the page for " | + | Search and enter the page for " |
- | {{ :: | + | |
- | {{ ::non_gallery_app.png?200 |}} | + | {{::azure-createapp.png?800|}} |
- | On the next screen we will name the application | + | Input a name for the application, for example **Enterprise File Fabric**. |
+ | |||
+ | Select **Integrate any other application you don't find in the gallery** from the list of options. | ||
Now that the application is created, we will enable SAML for single sign-on. | Now that the application is created, we will enable SAML for single sign-on. | ||
Line 194: | Line 195: | ||
Next we will setup Group Claims. | Next we will setup Group Claims. | ||
- | Select | + | Under **User Attributes & Claims** click **Edit**. Then select **Add a group claim**. |
- | "Source Attribute" | + | |
+ | Select | ||
+ | **Source Attribute** should be set to **Group ID**. | ||
Once this is set, we will copy and save the URLs | Once this is set, we will copy and save the URLs | ||
Line 211: | Line 214: | ||
In the "User Attributes & Claims" | In the "User Attributes & Claims" | ||
+ | |||
{{ :: | {{ :: | ||
Line 221: | Line 225: | ||
Once created, we will edit the API permissions, | Once created, we will edit the API permissions, | ||
+ | |||
+ | From the list, select **Azure Active Directory Graph**. | ||
In the Request API Permissions screen, we will select: | In the Request API Permissions screen, we will select: | ||
Line 271: | Line 277: | ||
User Name field > fullname | User Name field > fullname | ||
- | User email field > mail | + | User email field > othermail |
Role\Group name field > groups | Role\Group name field > groups | ||
Line 442: | Line 448: | ||
Your Okta setup with the Enterprise File Fabric is now complete. | Your Okta setup with the Enterprise File Fabric is now complete. | ||
+ | |||
+ | ===== Configuring with Duo Access Gateway ===== | ||
+ | |||
+ | __First you will need to setup your Duo Access Gatway__ | ||
+ | As defined here: [[https:// | ||
+ | |||
+ | Service Provider Name: SME File Fabric | ||
+ | |||
+ | Entity ID: your File Fabric URL | ||
+ | |||
+ | Assertion Consumer Service: your file fabric url + /saml.html | ||
+ | |||
+ | {{: | ||
+ | Send Attributes: All | ||
+ | |||
+ | a) Group name fix | ||
+ | There is an issue with the group name (when leveraging AD as the Directory backend). By default the results that come back are the DN and not the friendly name. | ||
+ | |||
+ | When you finish generating the json file you’ll edit to to update the memberof to look like so: | ||
+ | |||
+ | ``` | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | }, | ||
+ | |||
+ | ``` | ||
+ | |||
+ | Apply that json to your DAG. | ||
+ | |||
+ | |||
+ | __Update DAG to return displayName (and other attributes we need)__ | ||
+ | |||
+ | We need to ensure that the display name is returned: | ||
+ | |||
+ | In the DAG under Authentication Source we can add displayName as one of the attributes to return: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | __Gather info from DAG for SME integration__ | ||
+ | |||
+ | Follow the steps as defined here: [[https:// | ||
+ | This will give you URL/ | ||
+ | |||
+ | __Create Auth System in SME__ | ||
+ | |||
+ | We’ll enter this data into the File Fabric. Logged in as the Org Admin, in a package with SAML enabled, go to Organization> | ||
+ | |||
+ | {{: | ||
+ | {{: | ||
+ | |||
+ | This will now allow your users to click the Duo Access Gateway login button the page and login through your DAG into the File Fabric. | ||