Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
organisationcloud:saml [2020_01_02 17:33]
smeadmin
organisationcloud:saml [2020_01_03 15:32] (current)
eric Azure SAML added
Line 45: Line 45:
  
  
-===== Configuring with ADFS =====+===== Configuring with ADFS - Local AD =====
  
 From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar. ​ From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar. ​
Line 169: Line 169:
   * User Phone Field => phone   * User Phone Field => phone
  
 +===== Configuring with ADFS - Azure AD =====
 +
 +=== Setup Azure SAML App ===
 +
 +As an administrative user, log into the Azure portal: https://​portal.azure.com/​
 +
 +Search and enter the page for "​Enterprise Applications",​ Add a New Application,​ and select Non-gallery Application. ​
 +{{ ::​enterprise_application.png?​600 |}}
 +
 +{{ ::​non_gallery_app.png?​200 |}}
 +
 +On the next screen we will name the application something like //​Enterprise File Fabric// for the "​Name"​ section. ​
 +
 +Now that the application is created, we will enable SAML for single sign-on. ​
 +
 +{{ ::​enterprise_application_sso.png?​600 |}}
 +
 +In "Basic SAML Configuration"​ we will enter the following URLs, which point to your File Fabric instance. ​
 +
 +Identifier (Entity ID): File Fabric URL - ex: https://​filefabric.fileserverapp.com/​
 +
 +Reply URL (Assertion Consumer Service URL): ex: https://​filefabric.fileserverapp.com/​saml.htm
 +
 +Next we will setup Group Claims.
 +
 +Select "All Groups"​ as which groups should be returned in the claim. ​
 +"​Source Attribute"​ should be set to "Group ID".
 +
 +Once this is set, we will copy and save the URLs 
 +{{ ::​azureadfs_setup_urls.png?​600 |}}
 +
 +Next we will download the Certificate (Base64) from the "SAML Signing Certificate"​ section. ​
 +
 +{{ ::​azureadfs_downloadcert.png?​600 |}}
 +
 +Next we will make sure we have added the correct users and/or groups to the Enterprise Application. (only users/​groups enetered here will be able to log into the File Fabric via this SAML integration)
 +
 +{{ ::​azureadfs_usersandgroups.png?​600 |}}
 +
 +Finally, we will ensure we are passing all the correct attributes that the File Fabric Needs. ​
 +
 +In the "User Attributes & Claims"​ we'll add a new claim and make sure all the claims below are entered: ​
 +
 +{{ ::​azureadfs_userclaims.png?​600 |}}
 +
 +=== Setup Graph API ===
 +
 +In order to get the correct group names from ADFS, we will need to enable the Azure Graph API. 
 +
 +In App Registrations,​ create a "New registration",​ naming it something like "EFF GraphAPI"​.
 +
 +Once created, we will edit the API permissions,​ and "Add A Permission"​. ​
 +
 +In the Request API Permissions screen, we will select: ​
 +Azure Active Directory Graph > Application permissions >  Directory.Read.All
 +And hit "Add permissions"​
 +
 +Now we will gather the credentials. ​
 +In "​Overview",​ copy the "​Application (client) ID".
 +
 +In "​Certificates & Secrets",​ click "New client secret"​ in "​Clients Secrets"​ section. Set Description to something like "​EFF"​ and decide when it expires. Now copy the new Value added in the Client Secrets section. ​
 +
 +=== Setup File Fabric Auth System ===
 +
 +As an Org admin, we will now enable SAML Authentication. ​
 +Click on: Organization > SAML 2
 +
 +Fill in the following details:
 +
 +__Auth System Name__ - Azure SAML
 +
 +__Login Button label__ - This text field will be what is displayed in the login button on the File Fabric login page. Use something that the users will understand like “Login with Microsoft Azure”
 +
 +__The service provider entity ID__ - Enter the "Azure AD Identifier"​ you saved from the Azure Enterprise Application SAML App setup screen above
 +
 +__SSO Entry point__ - Enter the "Login URL" you saved from the Azure Enterprise Application SAML App setup screen above
 +
 +__Logout Service Endpoint__ - Enter the "​Logout URL" you saved from the Azure Enterprise Application SAML App setup screen above
 +
 +__Certificate Data__ - Enter the certificate text you downloaded from the Azure Enterprise Application SAML App setup screen above
 +
 +__Fetch User Role\Group Name by id__ - Check
 +
 +__Azure AD Application ID__ - Enter the GraphAPI "​Application (client) ID" saved from above
 +
 +__Azure AD Application Key__ - Enter the "​Clients Secrets"​ value saved from above
 +
 +__Auto create user on login__ - Check if you would like users to be auto provisioned when logging in via SAML
 +
 +__Update user roles/​groups on login__ - Check if you would like File Fabric roles to be updated on user login
 +
 +__Update user info on login__ - Check to update all user information on SAML login
 +__User Import Fields__
 +
 +Ensure the following mappings are set:
 +
 +Unique user attribute > user
 +
 +User login field > user
 +
 +User Name field > fullname
 +
 +User email field > mail
 +
 +Role\Group name field > groups
 +
 +User Phone field > phone 
 +
 +{{ ::​azureadfs_authsystem1.png?​600 |}}
 +{{ ::​azureadfs_authsystem2.png?​600 |}}
 ===== Configuring with G Suite (Google) ===== ===== Configuring with G Suite (Google) =====