Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
organisationcloud/saml [2020_01_03 15:32] – Azure SAML added ericorganisationcloud/saml [2020_11_24 20:57] smeadmin
Line 1: Line 1:
 ====== SAML 2.0 and the SME Enterprise File Fabric ====== ====== SAML 2.0 and the SME Enterprise File Fabric ======
-last updated Sept. 25 2018+last updated June 22 2020
  
 The Enterprise File Fabric supports users logging-in via the SAML 2.0 protocol. The SAML 2.0 protocol is increasing in popularity, and there are a number of different flavours and variations provided by different identity providers (IDPs), like Active Directory Federation Services (ADFS) and Google Suite (GSuite).  The Enterprise File Fabric supports users logging-in via the SAML 2.0 protocol. The SAML 2.0 protocol is increasing in popularity, and there are a number of different flavours and variations provided by different identity providers (IDPs), like Active Directory Federation Services (ADFS) and Google Suite (GSuite). 
Line 175: Line 175:
 As an administrative user, log into the Azure portal: https://portal.azure.com/ As an administrative user, log into the Azure portal: https://portal.azure.com/
  
-Search and enter the page for "Enterprise Applications", Add a New Application, and select Non-gallery Application.  +Search and enter the page for "Enterprise Applications", Add a New Application. Click "Create your own application"
-{{ ::enterprise_application.png?600 |}}+
  
-{{ ::non_gallery_app.png?200 |}}+{{::azure-createapp.png?800|}}
  
-On the next screen we will name the application something like //Enterprise File Fabric// for the "Name" section+Input a name for the application, for example **Enterprise File Fabric**. 
 + 
 +Select **Integrate any other application you don't find in the gallery** from the list of options.
  
 Now that the application is created, we will enable SAML for single sign-on.  Now that the application is created, we will enable SAML for single sign-on. 
Line 194: Line 195:
 Next we will setup Group Claims. Next we will setup Group Claims.
  
-Select "All Groupsas which groups should be returned in the claim.  +Under **User Attributes & Claims** click **Edit**. Then select **Add a group claim**. 
-"Source Attributeshould be set to "Group ID".+ 
 +Select **All Groups** as which groups should be returned in the claim.  
 +**Source Attribute** should be set to **Group ID**.
  
 Once this is set, we will copy and save the URLs  Once this is set, we will copy and save the URLs 
Line 211: Line 214:
  
 In the "User Attributes & Claims" we'll add a new claim and make sure all the claims below are entered:  In the "User Attributes & Claims" we'll add a new claim and make sure all the claims below are entered: 
 +
  
 {{ ::azureadfs_userclaims.png?600 |}} {{ ::azureadfs_userclaims.png?600 |}}
Line 221: Line 225:
  
 Once created, we will edit the API permissions, and "Add A Permission" Once created, we will edit the API permissions, and "Add A Permission"
 +
 +From the list, select **Azure Active Directory Graph**.
  
 In the Request API Permissions screen, we will select:  In the Request API Permissions screen, we will select: 
Line 271: Line 277:
 User Name field > fullname User Name field > fullname
  
-User email field > mail+User email field > othermail
  
 Role\Group name field > groups Role\Group name field > groups
Line 442: Line 448:
  
 Your Okta setup with the Enterprise File Fabric is now complete.  Your Okta setup with the Enterprise File Fabric is now complete. 
 +
 +===== Configuring with Duo Access Gateway =====
 +
 +__First you will need to setup your Duo Access Gatway__
 +As defined here: [[https://duo.com/docs/dag-generic#create-your-cloud-application-in-duo|DAG Create your cloud application in duo]].
 +
 +Service Provider Name: SME File Fabric
 +
 +Entity ID: your File Fabric URL
 +
 +Assertion Consumer Service: your file fabric url + /saml.html
 +
 +{{:dag_sp_setup.png}}
 +Send Attributes: All
 +
 +a) Group name fix
 +There is an issue with the group name (when leveraging AD as the Directory backend). By default the results that come back are the DN and not the friendly name.
 +
 +When you finish generating the json file you’ll edit to to update the memberof to look like so:
 +
 +```
 +            "94": {
 +                "class": "core:AttributeAlter",
 +                "subject": "memberOf",
 +                "pattern": "/^CN=(.*?),.*/",
 +                "replacement": "${1}"
 +            },
 +
 +```
 +
 +Apply that json to your DAG.
 +
 +
 +__Update DAG to return displayName (and other attributes we need)__
 +
 +We need to ensure that the display name is returned:
 +
 +In the DAG under Authentication Source we can add displayName as one of the attributes to return:
 + 
 +{{:dag_authsources.png}}
 +
 +__Gather info from DAG for SME integration__
 +
 +Follow the steps as defined here: [[https://duo.com/docs/dag-generic#configure-your-service-provider|DAG - Configure Your Service Provider]]
 +This will give you URL/IDs/Certs needed for File Fabric Auth System Setup.
 +
 +__Create Auth System in SME__
 +
 +We’ll enter this data into the File Fabric. Logged in as the Org Admin, in a package with SAML enabled, go to Organization> Auth Systems.
 +
 +{{:dag_authsys1.png}}
 +{{:dag_authsys2.png}}
 +
 +This will now allow your users to click the Duo Access Gateway login button the page and login through your DAG into the File Fabric. 
  
© Copyright 2024 Nasuni.