Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
organisationcloud/saml [2020_01_02 17:26] smeadminorganisationcloud/saml [2020_01_03 15:32] – Azure SAML added eric
Line 45: Line 45:
  
  
-===== Configuring with ADFS =====+===== Configuring with ADFS - Local AD =====
  
 From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar.  From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar. 
Line 169: Line 169:
   * User Phone Field => phone   * User Phone Field => phone
  
 +===== Configuring with ADFS - Azure AD =====
 +
 +=== Setup Azure SAML App ===
 +
 +As an administrative user, log into the Azure portal: https://portal.azure.com/
 +
 +Search and enter the page for "Enterprise Applications", Add a New Application, and select Non-gallery Application. 
 +{{ ::enterprise_application.png?600 |}}
 +
 +{{ ::non_gallery_app.png?200 |}}
 +
 +On the next screen we will name the application something like //Enterprise File Fabric// for the "Name" section. 
 +
 +Now that the application is created, we will enable SAML for single sign-on. 
 +
 +{{ ::enterprise_application_sso.png?600 |}}
 +
 +In "Basic SAML Configuration" we will enter the following URLs, which point to your File Fabric instance. 
 +
 +Identifier (Entity ID): File Fabric URL - ex: https://filefabric.fileserverapp.com/
 +
 +Reply URL (Assertion Consumer Service URL): ex: https://filefabric.fileserverapp.com/saml.htm
 +
 +Next we will setup Group Claims.
 +
 +Select "All Groups" as which groups should be returned in the claim. 
 +"Source Attribute" should be set to "Group ID".
 +
 +Once this is set, we will copy and save the URLs 
 +{{ ::azureadfs_setup_urls.png?600 |}}
 +
 +Next we will download the Certificate (Base64) from the "SAML Signing Certificate" section. 
 +
 +{{ ::azureadfs_downloadcert.png?600 |}}
 +
 +Next we will make sure we have added the correct users and/or groups to the Enterprise Application. (only users/groups enetered here will be able to log into the File Fabric via this SAML integration)
 +
 +{{ ::azureadfs_usersandgroups.png?600 |}}
 +
 +Finally, we will ensure we are passing all the correct attributes that the File Fabric Needs. 
 +
 +In the "User Attributes & Claims" we'll add a new claim and make sure all the claims below are entered: 
 +
 +{{ ::azureadfs_userclaims.png?600 |}}
 +
 +=== Setup Graph API ===
 +
 +In order to get the correct group names from ADFS, we will need to enable the Azure Graph API. 
 +
 +In App Registrations, create a "New registration", naming it something like "EFF GraphAPI".
 +
 +Once created, we will edit the API permissions, and "Add A Permission"
 +
 +In the Request API Permissions screen, we will select: 
 +Azure Active Directory Graph > Application permissions >  Directory.Read.All
 +And hit "Add permissions"
 +
 +Now we will gather the credentials. 
 +In "Overview", copy the "Application (client) ID".
 +
 +In "Certificates & Secrets", click "New client secret" in "Clients Secrets" section. Set Description to something like "EFF" and decide when it expires. Now copy the new Value added in the Client Secrets section. 
 +
 +=== Setup File Fabric Auth System ===
 +
 +As an Org admin, we will now enable SAML Authentication. 
 +Click on: Organization > SAML 2
 +
 +Fill in the following details:
 +
 +__Auth System Name__ - Azure SAML
 +
 +__Login Button label__ - This text field will be what is displayed in the login button on the File Fabric login page. Use something that the users will understand like “Login with Microsoft Azure”
 +
 +__The service provider entity ID__ - Enter the "Azure AD Identifier" you saved from the Azure Enterprise Application SAML App setup screen above
 +
 +__SSO Entry point__ - Enter the "Login URL" you saved from the Azure Enterprise Application SAML App setup screen above
 +
 +__Logout Service Endpoint__ - Enter the "Logout URL" you saved from the Azure Enterprise Application SAML App setup screen above
 +
 +__Certificate Data__ - Enter the certificate text you downloaded from the Azure Enterprise Application SAML App setup screen above
 +
 +__Fetch User Role\Group Name by id__ - Check
 +
 +__Azure AD Application ID__ - Enter the GraphAPI "Application (client) ID" saved from above
 +
 +__Azure AD Application Key__ - Enter the "Clients Secrets" value saved from above
 +
 +__Auto create user on login__ - Check if you would like users to be auto provisioned when logging in via SAML
 +
 +__Update user roles/groups on login__ - Check if you would like File Fabric roles to be updated on user login
 +
 +__Update user info on login__ - Check to update all user information on SAML login
 +__User Import Fields__
 +
 +Ensure the following mappings are set:
 +
 +Unique user attribute > user
 +
 +User login field > user
 +
 +User Name field > fullname
 +
 +User email field > mail
 +
 +Role\Group name field > groups
 +
 +User Phone field > phone 
 +
 +{{ ::azureadfs_authsystem1.png?600 |}}
 +{{ ::azureadfs_authsystem2.png?600 |}}
 ===== Configuring with G Suite (Google) ===== ===== Configuring with G Suite (Google) =====
  
Line 326: Line 436:
   * The Service provider entity ID - The URI entered earlier from the **Audience URI** field   * The Service provider entity ID - The URI entered earlier from the **Audience URI** field
   * SSO entry point - Enter the **Identity Provider Single Sign-On URL** found on the Okta setup instructions screen   * SSO entry point - Enter the **Identity Provider Single Sign-On URL** found on the Okta setup instructions screen
-  * The logout service endpoint - Enter the **Identity Provider Single Logout URL** found on the Okta setup instructions screen. +  * The logout service endpoint - Enter the **Identity Provider Single Logout URL** found on the Okta setup instructions screen.
   * x509 Certificate - Enter the **X.509 Certificate** found on the Oka setup instructions screen   * x509 Certificate - Enter the **X.509 Certificate** found on the Oka setup instructions screen