Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
organisationcloud/saml [2020_01_02 17:33] – smeadmin | organisationcloud/saml [2020_06_22 18:44] – [SAML 2.0 and the SME Enterprise File Fabric] jim | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== SAML 2.0 and the SME Enterprise File Fabric ====== | ====== SAML 2.0 and the SME Enterprise File Fabric ====== | ||
- | last updated | + | last updated |
The Enterprise File Fabric supports users logging-in via the SAML 2.0 protocol. The SAML 2.0 protocol is increasing in popularity, and there are a number of different flavours and variations provided by different identity providers (IDPs), like Active Directory Federation Services (ADFS) and Google Suite (GSuite). | The Enterprise File Fabric supports users logging-in via the SAML 2.0 protocol. The SAML 2.0 protocol is increasing in popularity, and there are a number of different flavours and variations provided by different identity providers (IDPs), like Active Directory Federation Services (ADFS) and Google Suite (GSuite). | ||
Line 45: | Line 45: | ||
- | ===== Configuring with ADFS ===== | + | ===== Configuring with ADFS - Local AD ===== |
From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar. | From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar. | ||
Line 169: | Line 169: | ||
* User Phone Field => phone | * User Phone Field => phone | ||
+ | ===== Configuring with ADFS - Azure AD ===== | ||
+ | |||
+ | === Setup Azure SAML App === | ||
+ | |||
+ | As an administrative user, log into the Azure portal: https:// | ||
+ | |||
+ | Search and enter the page for " | ||
+ | {{ :: | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | On the next screen we will name the application something like // | ||
+ | |||
+ | Now that the application is created, we will enable SAML for single sign-on. | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | In "Basic SAML Configuration" | ||
+ | |||
+ | Identifier (Entity ID): File Fabric URL - ex: https:// | ||
+ | |||
+ | Reply URL (Assertion Consumer Service URL): ex: https:// | ||
+ | |||
+ | Next we will setup Group Claims. | ||
+ | |||
+ | Select "All Groups" | ||
+ | " | ||
+ | |||
+ | Once this is set, we will copy and save the URLs | ||
+ | {{ :: | ||
+ | |||
+ | Next we will download the Certificate (Base64) from the "SAML Signing Certificate" | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | Next we will make sure we have added the correct users and/or groups to the Enterprise Application. (only users/ | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | Finally, we will ensure we are passing all the correct attributes that the File Fabric Needs. | ||
+ | |||
+ | In the "User Attributes & Claims" | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | === Setup Graph API === | ||
+ | |||
+ | In order to get the correct group names from ADFS, we will need to enable the Azure Graph API. | ||
+ | |||
+ | In App Registrations, | ||
+ | |||
+ | Once created, we will edit the API permissions, | ||
+ | |||
+ | In the Request API Permissions screen, we will select: | ||
+ | Azure Active Directory Graph > Application permissions > Directory.Read.All | ||
+ | And hit "Add permissions" | ||
+ | |||
+ | Now we will gather the credentials. | ||
+ | In " | ||
+ | |||
+ | In " | ||
+ | |||
+ | === Setup File Fabric Auth System === | ||
+ | |||
+ | As an Org admin, we will now enable SAML Authentication. | ||
+ | Click on: Organization > SAML 2 | ||
+ | |||
+ | Fill in the following details: | ||
+ | |||
+ | __Auth System Name__ - Azure SAML | ||
+ | |||
+ | __Login Button label__ - This text field will be what is displayed in the login button on the File Fabric login page. Use something that the users will understand like “Login with Microsoft Azure” | ||
+ | |||
+ | __The service provider entity ID__ - Enter the "Azure AD Identifier" | ||
+ | |||
+ | __SSO Entry point__ - Enter the "Login URL" you saved from the Azure Enterprise Application SAML App setup screen above | ||
+ | |||
+ | __Logout Service Endpoint__ - Enter the " | ||
+ | |||
+ | __Certificate Data__ - Enter the certificate text you downloaded from the Azure Enterprise Application SAML App setup screen above | ||
+ | |||
+ | __Fetch User Role\Group Name by id__ - Check | ||
+ | |||
+ | __Azure AD Application ID__ - Enter the GraphAPI " | ||
+ | |||
+ | __Azure AD Application Key__ - Enter the " | ||
+ | |||
+ | __Auto create user on login__ - Check if you would like users to be auto provisioned when logging in via SAML | ||
+ | |||
+ | __Update user roles/ | ||
+ | |||
+ | __Update user info on login__ - Check to update all user information on SAML login | ||
+ | __User Import Fields__ | ||
+ | |||
+ | Ensure the following mappings are set: | ||
+ | |||
+ | Unique user attribute > user | ||
+ | |||
+ | User login field > user | ||
+ | |||
+ | User Name field > fullname | ||
+ | |||
+ | User email field > mail | ||
+ | |||
+ | Role\Group name field > groups | ||
+ | |||
+ | User Phone field > phone | ||
+ | |||
+ | {{ :: | ||
+ | {{ :: | ||
===== Configuring with G Suite (Google) ===== | ===== Configuring with G Suite (Google) ===== | ||
Line 332: | Line 442: | ||
Your Okta setup with the Enterprise File Fabric is now complete. | Your Okta setup with the Enterprise File Fabric is now complete. | ||
+ | |||
+ | ===== Configuring with Duo Access Gateway ===== | ||
+ | |||
+ | __First you will need to setup your Duo Access Gatway__ | ||
+ | As defined here: [[https:// | ||
+ | |||
+ | Service Provider Name: SME File Fabric | ||
+ | |||
+ | Entity ID: your File Fabric URL | ||
+ | |||
+ | Assertion Consumer Service: your file fabric url + /saml.html | ||
+ | |||
+ | {{: | ||
+ | Send Attributes: All | ||
+ | |||
+ | a) Group name fix | ||
+ | There is an issue with the group name (when leveraging AD as the Directory backend). By default the results that come back are the DN and not the friendly name. | ||
+ | |||
+ | When you finish generating the json file you’ll edit to to update the memberof to look like so: | ||
+ | |||
+ | ``` | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | }, | ||
+ | |||
+ | ``` | ||
+ | |||
+ | Apply that json to your DAG. | ||
+ | |||
+ | |||
+ | __Update DAG to return displayName (and other attributes we need)__ | ||
+ | |||
+ | We need to ensure that the display name is returned: | ||
+ | |||
+ | In the DAG under Authentication Source we can add displayName as one of the attributes to return: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | __Gather info from DAG for SME integration__ | ||
+ | |||
+ | Follow the steps as defined here: [[https:// | ||
+ | This will give you URL/ | ||
+ | |||
+ | __Create Auth System in SME__ | ||
+ | |||
+ | We’ll enter this data into the File Fabric. Logged in as the Org Admin, in a package with SAML enabled, go to Organization> | ||
+ | |||
+ | {{: | ||
+ | {{: | ||
+ | |||
+ | This will now allow your users to click the Duo Access Gateway login button the page and login through your DAG into the File Fabric. | ||