Differences

This shows you the differences between two versions of the page.

--- organisationcloud/saml [2020_01_02 17:33] – smeadmin
+++ organisationcloud/saml [2020_07_16 19:00] – updated text of azure saml user import fields to match screenshot eric
@@ Line 1: / Line 1: @@
 ====== SAML 2.0 and the SME Enterprise File Fabric ======
-last updated Sept. 25 2018
+last updated June 22 2020
 The Enterprise File Fabric supports users logging-in via the SAML 2.0 protocol. The SAML 2.0 protocol is increasing in popularity, and there are a number of different flavours and variations provided by different identity providers (IDPs), like Active Directory Federation Services (ADFS) and Google Suite (GSuite).
@@ Line 45: / Line 45: @@
-===== Configuring with ADFS =====
+===== Configuring with ADFS - Local AD =====
 From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar.
@@ Line 169: / Line 169: @@
   * User Phone Field => phone
+===== Configuring with ADFS - Azure AD =====
+=== Setup Azure SAML App ===
+As an administrative user, log into the Azure portal: https://portal.azure.com/
+Search and enter the page for "Enterprise Applications", Add a New Application, and select Non-gallery Application.
+{{ ::enterprise_application.png?600 |}}
+{{ ::non_gallery_app.png?200 |}}
+On the next screen we will name the application something like //Enterprise File Fabric// for the "Name" section.
+Now that the application is created, we will enable SAML for single sign-on.
+{{ ::enterprise_application_sso.png?600 |}}
+In "Basic SAML Configuration" we will enter the following URLs, which point to your File Fabric instance.
+Identifier (Entity ID): File Fabric URL - ex: https://filefabric.fileserverapp.com/
+Reply URL (Assertion Consumer Service URL): ex: https://filefabric.fileserverapp.com/saml.htm
+Next we will setup Group Claims.
+Select "All Groups" as which groups should be returned in the claim.
+"Source Attribute" should be set to "Group ID".
+Once this is set, we will copy and save the URLs
+{{ ::azureadfs_setup_urls.png?600 |}}
+Next we will download the Certificate (Base64) from the "SAML Signing Certificate" section.
+{{ ::azureadfs_downloadcert.png?600 |}}
+Next we will make sure we have added the correct users and/or groups to the Enterprise Application. (only users/groups enetered here will be able to log into the File Fabric via this SAML integration)
+{{ ::azureadfs_usersandgroups.png?600 |}}
+Finally, we will ensure we are passing all the correct attributes that the File Fabric Needs.
+In the "User Attributes & Claims" we'll add a new claim and make sure all the claims below are entered:
+{{ ::azureadfs_userclaims.png?600 |}}
+=== Setup Graph API ===
+In order to get the correct group names from ADFS, we will need to enable the Azure Graph API.
+In App Registrations, create a "New registration", naming it something like "EFF GraphAPI".
+Once created, we will edit the API permissions, and "Add A Permission".
+In the Request API Permissions screen, we will select:
+Azure Active Directory Graph > Application permissions >  Directory.Read.All
+And hit "Add permissions"
+Now we will gather the credentials.
+In "Overview", copy the "Application (client) ID".
+In "Certificates & Secrets", click "New client secret" in "Clients Secrets" section. Set Description to something like "EFF" and decide when it expires. Now copy the new Value added in the Client Secrets section.
+=== Setup File Fabric Auth System ===
+As an Org admin, we will now enable SAML Authentication.
+Click on: Organization > SAML 2
+Fill in the following details:
+__Auth System Name__ - Azure SAML
+__Login Button label__ - This text field will be what is displayed in the login button on the File Fabric login page. Use something that the users will understand like “Login with Microsoft Azure”
+__The service provider entity ID__ - Enter the "Azure AD Identifier" you saved from the Azure Enterprise Application SAML App setup screen above
+__SSO Entry point__ - Enter the "Login URL" you saved from the Azure Enterprise Application SAML App setup screen above
+__Logout Service Endpoint__ - Enter the "Logout URL" you saved from the Azure Enterprise Application SAML App setup screen above
+__Certificate Data__ - Enter the certificate text you downloaded from the Azure Enterprise Application SAML App setup screen above
+__Fetch User Role\Group Name by id__ - Check
+__Azure AD Application ID__ - Enter the GraphAPI "Application (client) ID" saved from above
+__Azure AD Application Key__ - Enter the "Clients Secrets" value saved from above
+__Auto create user on login__ - Check if you would like users to be auto provisioned when logging in via SAML
+__Update user roles/groups on login__ - Check if you would like File Fabric roles to be updated on user login
+__Update user info on login__ - Check to update all user information on SAML login
+__User Import Fields__
+Ensure the following mappings are set:
+Unique user attribute > user
+User login field > user
+User Name field > fullname
+User email field > othermail
+Role\Group name field > groups
+User Phone field > phone
+{{ ::azureadfs_authsystem1.png?600 |}}
+{{ ::azureadfs_authsystem2.png?600 |}}
 ===== Configuring with G Suite (Google) =====
@@ Line 332: / Line 443: @@
 Your Okta setup with the Enterprise File Fabric is now complete.
+===== Configuring with Duo Access Gateway =====
+__First you will need to setup your Duo Access Gatway__
+As defined here: [[https://duo.com/docs/dag-generic#create-your-cloud-application-in-duo|DAG Create your cloud application in duo]].
+Service Provider Name: SME File Fabric
+Entity ID: your File Fabric URL
+Assertion Consumer Service: your file fabric url + /saml.html
+{{:dag_sp_setup.png}}
+Send Attributes: All
+a) Group name fix
+There is an issue with the group name (when leveraging AD as the Directory backend). By default the results that come back are the DN and not the friendly name.
+When you finish generating the json file you’ll edit to to update the memberof to look like so:
+```
+            "94": {
+                "class": "core:AttributeAlter",
+                "subject": "memberOf",
+                "pattern": "/^CN=(.*?),.*/",
+                "replacement": "${1}"
+            },
+```
+Apply that json to your DAG.
+__Update DAG to return displayName (and other attributes we need)__
+We need to ensure that the display name is returned:
+In the DAG under Authentication Source we can add displayName as one of the attributes to return:
+{{:dag_authsources.png}}
+__Gather info from DAG for SME integration__
+Follow the steps as defined here: [[https://duo.com/docs/dag-generic#configure-your-service-provider|DAG - Configure Your Service Provider]]
+This will give you URL/IDs/Certs needed for File Fabric Auth System Setup.
+__Create Auth System in SME__
+We’ll enter this data into the File Fabric. Logged in as the Org Admin, in a package with SAML enabled, go to Organization> Auth Systems.
+{{:dag_authsys1.png}}
+{{:dag_authsys2.png}}
+This will now allow your users to click the Duo Access Gateway login button the page and login through your DAG into the File Fabric.