Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | |||
|
organisationcloud:saml [2020_01_02 17:33] smeadmin |
organisationcloud:saml [2020_01_03 15:32] (current) eric Azure SAML added |
||
|---|---|---|---|
| Line 45: | Line 45: | ||
| - | ===== Configuring with ADFS ===== | + | ===== Configuring with ADFS - Local AD ===== |
| From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar. | From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar. | ||
| Line 169: | Line 169: | ||
| * User Phone Field => phone | * User Phone Field => phone | ||
| + | ===== Configuring with ADFS - Azure AD ===== | ||
| + | |||
| + | === Setup Azure SAML App === | ||
| + | |||
| + | As an administrative user, log into the Azure portal: https://portal.azure.com/ | ||
| + | |||
| + | Search and enter the page for "Enterprise Applications", Add a New Application, and select Non-gallery Application. | ||
| + | {{ ::enterprise_application.png?600 |}} | ||
| + | |||
| + | {{ ::non_gallery_app.png?200 |}} | ||
| + | |||
| + | On the next screen we will name the application something like //Enterprise File Fabric// for the "Name" section. | ||
| + | |||
| + | Now that the application is created, we will enable SAML for single sign-on. | ||
| + | |||
| + | {{ ::enterprise_application_sso.png?600 |}} | ||
| + | |||
| + | In "Basic SAML Configuration" we will enter the following URLs, which point to your File Fabric instance. | ||
| + | |||
| + | Identifier (Entity ID): File Fabric URL - ex: https://filefabric.fileserverapp.com/ | ||
| + | |||
| + | Reply URL (Assertion Consumer Service URL): ex: https://filefabric.fileserverapp.com/saml.htm | ||
| + | |||
| + | Next we will setup Group Claims. | ||
| + | |||
| + | Select "All Groups" as which groups should be returned in the claim. | ||
| + | "Source Attribute" should be set to "Group ID". | ||
| + | |||
| + | Once this is set, we will copy and save the URLs | ||
| + | {{ ::azureadfs_setup_urls.png?600 |}} | ||
| + | |||
| + | Next we will download the Certificate (Base64) from the "SAML Signing Certificate" section. | ||
| + | |||
| + | {{ ::azureadfs_downloadcert.png?600 |}} | ||
| + | |||
| + | Next we will make sure we have added the correct users and/or groups to the Enterprise Application. (only users/groups enetered here will be able to log into the File Fabric via this SAML integration) | ||
| + | |||
| + | {{ ::azureadfs_usersandgroups.png?600 |}} | ||
| + | |||
| + | Finally, we will ensure we are passing all the correct attributes that the File Fabric Needs. | ||
| + | |||
| + | In the "User Attributes & Claims" we'll add a new claim and make sure all the claims below are entered: | ||
| + | |||
| + | {{ ::azureadfs_userclaims.png?600 |}} | ||
| + | |||
| + | === Setup Graph API === | ||
| + | |||
| + | In order to get the correct group names from ADFS, we will need to enable the Azure Graph API. | ||
| + | |||
| + | In App Registrations, create a "New registration", naming it something like "EFF GraphAPI". | ||
| + | |||
| + | Once created, we will edit the API permissions, and "Add A Permission". | ||
| + | |||
| + | In the Request API Permissions screen, we will select: | ||
| + | Azure Active Directory Graph > Application permissions > Directory.Read.All | ||
| + | And hit "Add permissions" | ||
| + | |||
| + | Now we will gather the credentials. | ||
| + | In "Overview", copy the "Application (client) ID". | ||
| + | |||
| + | In "Certificates & Secrets", click "New client secret" in "Clients Secrets" section. Set Description to something like "EFF" and decide when it expires. Now copy the new Value added in the Client Secrets section. | ||
| + | |||
| + | === Setup File Fabric Auth System === | ||
| + | |||
| + | As an Org admin, we will now enable SAML Authentication. | ||
| + | Click on: Organization > SAML 2 | ||
| + | |||
| + | Fill in the following details: | ||
| + | |||
| + | __Auth System Name__ - Azure SAML | ||
| + | |||
| + | __Login Button label__ - This text field will be what is displayed in the login button on the File Fabric login page. Use something that the users will understand like “Login with Microsoft Azure” | ||
| + | |||
| + | __The service provider entity ID__ - Enter the "Azure AD Identifier" you saved from the Azure Enterprise Application SAML App setup screen above | ||
| + | |||
| + | __SSO Entry point__ - Enter the "Login URL" you saved from the Azure Enterprise Application SAML App setup screen above | ||
| + | |||
| + | __Logout Service Endpoint__ - Enter the "Logout URL" you saved from the Azure Enterprise Application SAML App setup screen above | ||
| + | |||
| + | __Certificate Data__ - Enter the certificate text you downloaded from the Azure Enterprise Application SAML App setup screen above | ||
| + | |||
| + | __Fetch User Role\Group Name by id__ - Check | ||
| + | |||
| + | __Azure AD Application ID__ - Enter the GraphAPI "Application (client) ID" saved from above | ||
| + | |||
| + | __Azure AD Application Key__ - Enter the "Clients Secrets" value saved from above | ||
| + | |||
| + | __Auto create user on login__ - Check if you would like users to be auto provisioned when logging in via SAML | ||
| + | |||
| + | __Update user roles/groups on login__ - Check if you would like File Fabric roles to be updated on user login | ||
| + | |||
| + | __Update user info on login__ - Check to update all user information on SAML login | ||
| + | __User Import Fields__ | ||
| + | |||
| + | Ensure the following mappings are set: | ||
| + | |||
| + | Unique user attribute > user | ||
| + | |||
| + | User login field > user | ||
| + | |||
| + | User Name field > fullname | ||
| + | |||
| + | User email field > mail | ||
| + | |||
| + | Role\Group name field > groups | ||
| + | |||
| + | User Phone field > phone | ||
| + | |||
| + | {{ ::azureadfs_authsystem1.png?600 |}} | ||
| + | {{ ::azureadfs_authsystem2.png?600 |}} | ||
| ===== Configuring with G Suite (Google) ===== | ===== Configuring with G Suite (Google) ===== | ||