Differences

This shows you the differences between two versions of the page.

Link to this comparison view

organisationcloud/saml [2020_01_03 15:32] – Azure SAML added ericorganisationcloud:saml [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
Line 1: Line 1:
-====== SAML 2.0 and the SME Enterprise File Fabric ====== 
-last updated Sept. 25 2018 
- 
-The Enterprise File Fabric supports users logging-in via the SAML 2.0 protocol. The SAML 2.0 protocol is increasing in popularity, and there are a number of different flavours and variations provided by different identity providers (IDPs), like Active Directory Federation Services (ADFS) and Google Suite (GSuite).  
- 
-This guide covers how a SAML 2.0 configuration can be configured from the File fabric interface, and the specifics relating to each platform.  
- 
-===== Setting up SAML 2.0 with the Enterprise File Fabric ===== 
- 
-To begin configuring the SAML 2.0 connection, you will need to ensure that SAML is enabled in your Package. To do this login as the ApplAdmin user, visit the **User Packages** screen, find the package that your Organization uses, and ensure that **SAML 2 Login System** is highlighted in the "Extra options" section 
- 
-{{ ::user_packages____edit_package___latestappliance_1808_00.png?400 |}} 
- 
-Next, login as the Organization Administrator account, and visit the **Auth Systems** screen from the **Organization** menu. 
- 
-Under **Add Auth System**, select **SAML 2** from the dropdown beside **Auth System**. 
- 
-On this screen, you are now required to enter the specific details about your particular SAML 2 Identity Provider. The following list describes the meaning of each field. 
- 
-  * __Auth System Name__ - Each authentication system has a name which is provided for your reference. Enter a name you can use to identify this later on. 
- 
-  * __Login button label__ - Instead of users supplying the File Fabric with usernames and passwords, the users will be shown a button for them to click to perform the login. The text you supply here will be used on the button, for example you may wish to enter "Login with AcmeCorp AD" 
- 
-  * __The Service provider entity ID__ - Your Identity Provider will either ask you to supply an Entity ID or will generate one for you. You should enter what your Identity Provider supplies you with here.  
- 
-  * __SSO entry point__ - Your Identity Provider will provide you with a URL that begins the login flow for your users with the File Fabric service. This can commonly be referred to as the SSO URL or SSO Login Endpoint. 
- 
-  * __The logout service endpoint__ - Your Identity Provider will provide you with the Logout URL, where SME will send users to when they wish to logout of the Enterprise File Fabric.  
- 
-  * __Certificate data__ - Your Identity Provider will provide you with a certificate when configuring your SAML Service Provider. You should download that certificate and paste its entire contents into this field.  
- 
-  * __Fetch user Role/Group__ - If you are using Azure Active Directory FS services, you will need to tick this option. Otherwise leave it unchecked.  
- 
-  * __Auto create user on login__ - Manual user import is not possible with SAML, so this option should be checked. 
- 
-  * __Update user roles/groups on login__ - The File Fabric can refresh a user's role/group membership each time they login. Check this to ensure that this happens.  
- 
-  * __Update user info on login__ - The File Fabric can refresh a users personal information, such as their name, each time they login. Check this to ensure that this happens.  
- 
-  * __User Import Fields__ - The File Fabric requires certain pieces of information when linking a user to the platform. Since there are no field name standards with the File Fabric, you will need to supply the mappings.  
- 
-For specific details on configuring different platforms, follow our guides below.  
- 
-Once you have completed the configuration you can use the Test Settings button, and complete this by clicking **Add Auth System**. 
- 
- 
-===== Configuring with ADFS - Local AD ===== 
- 
-From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar.  
- 
-This will open a wizard like below. 
- 
-{{ ::fmt-devad01_storagemadeeasy_com.png?400 |}} 
- 
-Click **Start** 
- 
-Click the radio button **Enter data about the relying party manually** and click **Next** 
- 
-{{ ::fmt-devad01_storagemadeeasy_com2.png?400 |}} 
- 
-Enter an appropriate **Display name** so that you can recognise it in the future and click **Next** 
- 
-{{ ::fmt-devad01_storagemadeeasy_com3.png?400 |}} 
- 
-Select the **AD FS profile** radio button and click **Next**. 
- 
-{{ ::fmt-devad01_storagemadeeasy_com4.png?400 |}} 
- 
-Under the **Configure Certificate**, leave the settings as their default settings and click **Next**. 
- 
-{{ ::fmt-devad01_storagemadeeasy_com5.png?400 |}} 
- 
-On the **Configure URL** screen, tick the ** Enable support for the SAML 2.0 WebSSO protocol** checkbox. 
- 
-In the **Relying party SAML 2.0 SSO service URL** field, you will need to enter your appliances base URL, with "/saml.htm" appended to it. For example, if your appliace is hosted at "https://sme.example.com" you would enter "https://sme.example.com/saml.htm" in this field.  
- 
-{{ ::fmt-devad01_storagemadeeasy_com6.png?400 |}} 
- 
-Click **Next**. 
- 
-On the **Configure Identifiers** screen, you will need to enter the base URL for your appliance in the **Relying party trust identifier** field. For example we could enter "https://sme.example.com" then click **Add** 
- 
-{{ ::fmt-devad01_storagemadeeasy_com7.png?400 |}} 
- 
-You will then be asked if you wish to **Configure Multi-factor Authentication** for this relying party trust. You may do so, but it is out of scope for this guide.  
- 
-Click **Next** 
- 
-On the **Choose Issuance Authorization Rules** screen, select the **Permit all users to access this relying party** radio button.  
- 
-{{ ::fmt-devad01_storagemadeeasy_com8.png?400 |}} 
- 
-Click **Next** 
- 
-On the **Ready to Add Trust** screen, review the settings you have entered.  
- 
-Click **Next** 
- 
-On the final screen, ensure that the **Open the Edit Claim Rules dialog for this relying part trust when the wizard closes** is ticked, and click **Close** 
- 
-From the **Issuance Transform Rules** screen, click **Add Rule...** 
- 
-{{ ::fmt-devad01_storagemadeeasy_com9.png?400 |}} 
- 
-From the **Claim rule template** drop down, select **Send LDAP Attributes as Claims** and click **Next**. 
- 
-Enter a friendly name under **Claim rule name**. 
- 
-Select **Active Directory** from the **Attribute store** 
- 
-Configure the **Mapping of LDAP attributes** as per the image below. 
- 
-{{ ::fmt-devad01_storagemadeeasy_com20.png?400 |}} 
- 
- 
-Next, add another Claim Rule. 
- 
-From the **CLaim rule template** select **Send Group Membsership as a Claim**. Provide a **Claim rule name**.  
- 
-Select the **User's group** that this applies to 
- 
-Select the **Outgoing claim type** as **Group** 
- 
-Input the **Outgoing claim value** as "group" 
- 
-{{ ::fmt-devad01_storagemadeeasy_com12.png?400 |}} 
- 
-Close the Claim Rules dialog. 
- 
-Next, visit the **Certificates** folder under **Service** 
- 
-{{ ::fmt-devad01_storagemadeeasy_com13.png?400 |}} 
- 
-Double click on your certificate under the **Token-signing** section. 
- 
-Click on the **Details** tab and click **Copy to File** 
- 
-{{ ::fmt-devad01_storagemadeeasy_com14.png?400 |}} 
- 
-Click **Next** when the dialog opens. 
- 
-Select **Base-64 encoded X.509 (.CER)** as the export format. 
- 
-Click **Next** 
- 
-Select the location on disk to store the certificate and follow the prompts to complete the export.  
- 
-Finally, click on the **AD FS** folder on the left hand side. From the **Action** menu, select **Edit Federation Service Properties**. 
- 
-Copy the value from the **Federation Service identifier** field and save this.  
- 
-Now we will configure the Auth System inside SME. Given the guide at the top of this document, the relevant fields from AD FS are as follows: 
- 
-**Service provider entity ID** - This is the value from the **Federation Service identifier** field 
- 
-**SSO entry point** - For AD FS this is typically the base URL of the service appended with "/adfs/ls", for example "https://ad.example.com/adfs/ls" 
- 
-**Logout service endpoint** - For AD FS this is typically the SSO endpoint with the additional query string of "?wa=wsignout1.0", for example "https://ad.example.com/adfs/ls?wa=wsignout1.0" 
- 
-**Certificate data** - Open the exported certificate you obtained from the AD FS system into Notepad, and copy the whole contents into this field.  
- 
-Ensure the field mappings are as follows: 
- 
-  * Unique user attribute => username 
-  * User Login Field => username 
-  * User Name Field => fullname 
-  * User Email Field => email 
-  * Role\Group Name Field => role 
-  * User Phone Field => phone 
- 
-===== Configuring with ADFS - Azure AD ===== 
- 
-=== Setup Azure SAML App === 
- 
-As an administrative user, log into the Azure portal: https://portal.azure.com/ 
- 
-Search and enter the page for "Enterprise Applications", Add a New Application, and select Non-gallery Application.  
-{{ ::enterprise_application.png?600 |}} 
- 
-{{ ::non_gallery_app.png?200 |}} 
- 
-On the next screen we will name the application something like //Enterprise File Fabric// for the "Name" section.  
- 
-Now that the application is created, we will enable SAML for single sign-on.  
- 
-{{ ::enterprise_application_sso.png?600 |}} 
- 
-In "Basic SAML Configuration" we will enter the following URLs, which point to your File Fabric instance.  
- 
-Identifier (Entity ID): File Fabric URL - ex: https://filefabric.fileserverapp.com/ 
- 
-Reply URL (Assertion Consumer Service URL): ex: https://filefabric.fileserverapp.com/saml.htm 
- 
-Next we will setup Group Claims. 
- 
-Select "All Groups" as which groups should be returned in the claim.  
-"Source Attribute" should be set to "Group ID". 
- 
-Once this is set, we will copy and save the URLs  
-{{ ::azureadfs_setup_urls.png?600 |}} 
- 
-Next we will download the Certificate (Base64) from the "SAML Signing Certificate" section.  
- 
-{{ ::azureadfs_downloadcert.png?600 |}} 
- 
-Next we will make sure we have added the correct users and/or groups to the Enterprise Application. (only users/groups enetered here will be able to log into the File Fabric via this SAML integration) 
- 
-{{ ::azureadfs_usersandgroups.png?600 |}} 
- 
-Finally, we will ensure we are passing all the correct attributes that the File Fabric Needs.  
- 
-In the "User Attributes & Claims" we'll add a new claim and make sure all the claims below are entered:  
- 
-{{ ::azureadfs_userclaims.png?600 |}} 
- 
-=== Setup Graph API === 
- 
-In order to get the correct group names from ADFS, we will need to enable the Azure Graph API.  
- 
-In App Registrations, create a "New registration", naming it something like "EFF GraphAPI". 
- 
-Once created, we will edit the API permissions, and "Add A Permission" 
- 
-In the Request API Permissions screen, we will select:  
-Azure Active Directory Graph > Application permissions >  Directory.Read.All 
-And hit "Add permissions" 
- 
-Now we will gather the credentials.  
-In "Overview", copy the "Application (client) ID". 
- 
-In "Certificates & Secrets", click "New client secret" in "Clients Secrets" section. Set Description to something like "EFF" and decide when it expires. Now copy the new Value added in the Client Secrets section.  
- 
-=== Setup File Fabric Auth System === 
- 
-As an Org admin, we will now enable SAML Authentication.  
-Click on: Organization > SAML 2 
- 
-Fill in the following details: 
- 
-__Auth System Name__ - Azure SAML 
- 
-__Login Button label__ - This text field will be what is displayed in the login button on the File Fabric login page. Use something that the users will understand like “Login with Microsoft Azure” 
- 
-__The service provider entity ID__ - Enter the "Azure AD Identifier" you saved from the Azure Enterprise Application SAML App setup screen above 
- 
-__SSO Entry point__ - Enter the "Login URL" you saved from the Azure Enterprise Application SAML App setup screen above 
- 
-__Logout Service Endpoint__ - Enter the "Logout URL" you saved from the Azure Enterprise Application SAML App setup screen above 
- 
-__Certificate Data__ - Enter the certificate text you downloaded from the Azure Enterprise Application SAML App setup screen above 
- 
-__Fetch User Role\Group Name by id__ - Check 
- 
-__Azure AD Application ID__ - Enter the GraphAPI "Application (client) ID" saved from above 
- 
-__Azure AD Application Key__ - Enter the "Clients Secrets" value saved from above 
- 
-__Auto create user on login__ - Check if you would like users to be auto provisioned when logging in via SAML 
- 
-__Update user roles/groups on login__ - Check if you would like File Fabric roles to be updated on user login 
- 
-__Update user info on login__ - Check to update all user information on SAML login 
-__User Import Fields__ 
- 
-Ensure the following mappings are set: 
- 
-Unique user attribute > user 
- 
-User login field > user 
- 
-User Name field > fullname 
- 
-User email field > mail 
- 
-Role\Group name field > groups 
- 
-User Phone field > phone  
- 
-{{ ::azureadfs_authsystem1.png?600 |}} 
-{{ ::azureadfs_authsystem2.png?600 |}} 
-===== Configuring with G Suite (Google) ===== 
- 
-=== Setup G Suite SAML App === 
- 
-As the administrative user for your G Suite domain, login to the [[https://admin.google.com|Gsuite Admin panel]].  
- 
-Then Select Apps > SAML Apps from the menu on the left hand side of the screen ("hamburger menu").  
- 
-{{::gsuite_1.png?600|}} 
- 
-On the following screen, click the yellow plus (+) symbol in the bottom left to add a new SAML Application.  
-Then select "Setup my own custom app" 
- 
-On the next screen you will want to save the SSO URL, Entity ID and download the certificate.  
- 
-{{::ii_jl85yqk14_1656c9918e5ef030.png?600|}} 
- 
-On the next page enter an Application Name that matches your File Fabric system, and use any Description or Logo you would like, and click next.  
- 
-Next fill out the "Service Provider Details" like so: 
- 
-__ACS URL__ = File Fabric URL + "/saml.htm" - ex: https://filefabric.fileserverapp.com/saml.htm 
- 
-__Entity ID__ = File Fabric URL - ex: https://filefabric.fileserverapp.com/ 
- 
-__Start URL__ = File Fabric URL - ex: https://filefabric.fileserverapp.com/ 
- 
-__Name ID__ = Leave as Default: Basic Information > Primary Email 
- 
-__Name Format__ = Leave as Default: Unspecified 
- 
-{{::gsuite_3.png?600|}} 
- 
-We will setup the following mappings in the Attribute Mapping Section: 
- 
-Username > Basic Information > Primary Email 
- 
-email > Basic Information> Primary Email 
- 
-fullname > Basic Information > First Name 
- 
-groups > Employee Details > Department 
- 
-phone > Contact Information> Phone Number 
- 
-upn > Basic Information > Full Name 
- 
-{{::ii_jl85yqkh5_1656c9918e5ef030.png?600|}} 
- 
-Click Finish to complete the setup of the SAML App.  
- 
-Finally select the three dot menu for the app and select "ON for everyone" to enable all of your GSuite users to use this app.  
- 
-{{::gsuite_4.png?300|}} 
- 
-=== File Fabric Auth System === 
- 
-As the Org admin, we will now enable the SAML Authentication.  
- 
-Click on: Organization > Auth Systems. 
- 
-Select: Auth System > SAML 2 
- 
-Fill in the following details: 
- 
-__Auth System Name__ - G Suite SAML 
- 
-__Login Button label__ - This text field will be what is displayed in the login button on the File Fabric login page. Use something that the users will understand like "Login with Google" 
- 
-__The service provider entity ID__ - Enter the Entity ID you saved from the Google SAML App setup screen 
- 
-__SSO Entry point__ - Enter the SSO URL you saved from the Google SAML App setup screen 
- 
-__Logout Service Endpoint__ - https://accounts.google.com/Logout 
- 
-__Certificate Data__ = Enter the certificate text you downloaded from the Google SAML App setup screen 
- 
-__Fetch User Role\Group Name by id__ - Leave unchecked 
- 
-__Auto create user on login__ - Check if you would like users to be auto provisioned when logging in via SAML 
- 
-__Update user roles/groups on login__ - Check if you would like File Fabric roles to be updated on user login 
- 
-__Update user info on login__ - Check to update all user information on SAML login 
- 
-__User Import Fields__ 
- 
-Ensure the following mappings are set: 
- 
-Unique user attribute > username 
- 
-User login field > username 
- 
-User Name field > fullname 
- 
-User email field > email 
- 
-Role\Group name field > groups 
- 
-User Phone field > phone 
- 
-{{::gsuite_5.png?600|}} 
- 
-Click Test and then Update to save these settings 
- 
-===== Configuring with Okta ===== 
- 
-From your Okta's Administrative account, click on **Applications** from the top menu, and then click **Add Application**. From the left menu click on the **Create New App** button.  
- 
-For the **Platform** option, select **Web**.  
- 
-For the **Sign on method**, select **SAML 2.0**.  
- 
-Then click **Create**.  
- 
-On the next screen, we need to supply some basic information for the application.  
- 
-For the **App Name**, provide a friendly name for the SME service, e.g. **Enterprise File Fabric**. Optionally you can also provide an **App logo** that users would recognize.  
- 
-Click **Next**. 
- 
-On the **SAML settings** screen we want to configure the fields as follows: 
- 
-  * __Single sign on URL__ - This should be the URI of your Enterprise File Fabric appliance, appended by "/saml.htm". For example "https://sme.example.com/saml.htm" 
-  * __Audience URI__ - This should be the URI of your Enterprise File Fabric appliance, e.g. "https://sme.example.com" 
-  * __Default RelayState__ - This should be left blank 
-  * __Name ID format__ - Select Email Address 
-  * __Application username__ - Select Okta Username 
- 
-Under **Show Advanced Settings**: 
- 
-  * Tick **Enable Single Logout** 
-  * In **Single Logout URL** enter the value you entered in **Audience URI** 
-  * In **SP Issuer** enter the value you entered in **Audience URI** 
-  * From the **Signature Certificate** upload the Signing Certificate that can be obtained from your Enterprise File Fabric appliance Auth System configuration screen.  
- 
-Under **Attribute Statements** configure the mappings as follows:  
- 
-  * Name "email", Name format "basic", Value "user.email" 
-  * Name "fullname", Name format "basic", Value "user.login" 
-  * Name "username", Name format "basic", Value "user.login" 
- 
-Under **Group Attribute Statements**, you will need to [choose which groups need to be exposed to the Enterprise File Fabric](https://help.okta.com/en/prod/Content/Topics/Apps/attribute-statements-saml.htm).  
- 
-A Groups Entry will need to be added with a name of "groups". The Value is dependant on what you would like to expose to the Enterprise File Fabric. Some examples are below: 
- 
-  * Contains: IT - Matches groups containing the word "IT" 
-  * Regex: "^.*$" - Matches all groups 
- 
-Follow the on-screen steps to save the changes.  
- 
-On the **Application Details** screen, under **Sign On**, click the **View Setup Instructions** button.  
- 
-On the File Fabric SAML Auth System screen, enter the following values: 
- 
-  * The Service provider entity ID - The URI entered earlier from the **Audience URI** field 
-  * SSO entry point - Enter the **Identity Provider Single Sign-On URL** found on the Okta setup instructions screen 
-  * The logout service endpoint - Enter the **Identity Provider Single Logout URL** found on the Okta setup instructions screen. 
-  * x509 Certificate - Enter the **X.509 Certificate** found on the Oka setup instructions screen 
- 
-Before users are able to access the Okta application, Users or Groups must be assigned the application for it to be available to them.  
- 
-Your Okta setup with the Enterprise File Fabric is now complete.