Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
organisationcloud/saml [2020_01_02 17:33] smeadminorganisationcloud/saml [2020_01_03 15:32] – Azure SAML added eric
Line 45: Line 45:
  
  
-===== Configuring with ADFS =====+===== Configuring with ADFS - Local AD =====
  
 From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar.  From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar. 
Line 169: Line 169:
   * User Phone Field => phone   * User Phone Field => phone
  
 +===== Configuring with ADFS - Azure AD =====
 +
 +=== Setup Azure SAML App ===
 +
 +As an administrative user, log into the Azure portal: https://portal.azure.com/
 +
 +Search and enter the page for "Enterprise Applications", Add a New Application, and select Non-gallery Application. 
 +{{ ::enterprise_application.png?600 |}}
 +
 +{{ ::non_gallery_app.png?200 |}}
 +
 +On the next screen we will name the application something like //Enterprise File Fabric// for the "Name" section. 
 +
 +Now that the application is created, we will enable SAML for single sign-on. 
 +
 +{{ ::enterprise_application_sso.png?600 |}}
 +
 +In "Basic SAML Configuration" we will enter the following URLs, which point to your File Fabric instance. 
 +
 +Identifier (Entity ID): File Fabric URL - ex: https://filefabric.fileserverapp.com/
 +
 +Reply URL (Assertion Consumer Service URL): ex: https://filefabric.fileserverapp.com/saml.htm
 +
 +Next we will setup Group Claims.
 +
 +Select "All Groups" as which groups should be returned in the claim. 
 +"Source Attribute" should be set to "Group ID".
 +
 +Once this is set, we will copy and save the URLs 
 +{{ ::azureadfs_setup_urls.png?600 |}}
 +
 +Next we will download the Certificate (Base64) from the "SAML Signing Certificate" section. 
 +
 +{{ ::azureadfs_downloadcert.png?600 |}}
 +
 +Next we will make sure we have added the correct users and/or groups to the Enterprise Application. (only users/groups enetered here will be able to log into the File Fabric via this SAML integration)
 +
 +{{ ::azureadfs_usersandgroups.png?600 |}}
 +
 +Finally, we will ensure we are passing all the correct attributes that the File Fabric Needs. 
 +
 +In the "User Attributes & Claims" we'll add a new claim and make sure all the claims below are entered: 
 +
 +{{ ::azureadfs_userclaims.png?600 |}}
 +
 +=== Setup Graph API ===
 +
 +In order to get the correct group names from ADFS, we will need to enable the Azure Graph API. 
 +
 +In App Registrations, create a "New registration", naming it something like "EFF GraphAPI".
 +
 +Once created, we will edit the API permissions, and "Add A Permission"
 +
 +In the Request API Permissions screen, we will select: 
 +Azure Active Directory Graph > Application permissions >  Directory.Read.All
 +And hit "Add permissions"
 +
 +Now we will gather the credentials. 
 +In "Overview", copy the "Application (client) ID".
 +
 +In "Certificates & Secrets", click "New client secret" in "Clients Secrets" section. Set Description to something like "EFF" and decide when it expires. Now copy the new Value added in the Client Secrets section. 
 +
 +=== Setup File Fabric Auth System ===
 +
 +As an Org admin, we will now enable SAML Authentication. 
 +Click on: Organization > SAML 2
 +
 +Fill in the following details:
 +
 +__Auth System Name__ - Azure SAML
 +
 +__Login Button label__ - This text field will be what is displayed in the login button on the File Fabric login page. Use something that the users will understand like “Login with Microsoft Azure”
 +
 +__The service provider entity ID__ - Enter the "Azure AD Identifier" you saved from the Azure Enterprise Application SAML App setup screen above
 +
 +__SSO Entry point__ - Enter the "Login URL" you saved from the Azure Enterprise Application SAML App setup screen above
 +
 +__Logout Service Endpoint__ - Enter the "Logout URL" you saved from the Azure Enterprise Application SAML App setup screen above
 +
 +__Certificate Data__ - Enter the certificate text you downloaded from the Azure Enterprise Application SAML App setup screen above
 +
 +__Fetch User Role\Group Name by id__ - Check
 +
 +__Azure AD Application ID__ - Enter the GraphAPI "Application (client) ID" saved from above
 +
 +__Azure AD Application Key__ - Enter the "Clients Secrets" value saved from above
 +
 +__Auto create user on login__ - Check if you would like users to be auto provisioned when logging in via SAML
 +
 +__Update user roles/groups on login__ - Check if you would like File Fabric roles to be updated on user login
 +
 +__Update user info on login__ - Check to update all user information on SAML login
 +__User Import Fields__
 +
 +Ensure the following mappings are set:
 +
 +Unique user attribute > user
 +
 +User login field > user
 +
 +User Name field > fullname
 +
 +User email field > mail
 +
 +Role\Group name field > groups
 +
 +User Phone field > phone 
 +
 +{{ ::azureadfs_authsystem1.png?600 |}}
 +{{ ::azureadfs_authsystem2.png?600 |}}
 ===== Configuring with G Suite (Google) ===== ===== Configuring with G Suite (Google) =====
  
© Copyright 2024 Nasuni.