Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
organisationcloud/saml [2020_01_03 15:32] – Azure SAML added ericorganisationcloud:saml [2024_04_11 17:44] (current) – [Enabling SAML in the Package] steven
Line 1: Line 1:
-====== SAML 2.0 and the SME Enterprise File Fabric ====== +SAML 2.0 Integration
-last updated Sept. 25 2018+
  
-The Enterprise File Fabric supports users logging-in via the SAML 2.0 protocol. The SAML 2.0 protocol is increasing in popularityand there are a number of different flavours and variations provided by different identity providers (IDPs), like Active Directory Federation Services (ADFS) and Google Suite (GSuite). +**Last updated Oct 32023**
  
-This guide covers how a SAML 2.0 configuration can be configured from the File fabric interface, and the specifics relating to each platform+Access Anywhere supports integration with many directory services through the SAML and LDAP protocols providing authentication and authorization services including single-sign onidentity and group synchronization, auto-add and permission synchronization.
  
-===== Setting up SAML 2.0 with the Enterprise File Fabric =====+This document describes integration with SAML 2.0 using a number of popular providers. For LDAP see [[:ldap]] and for Active Directory see [[organisationcloud/activedirectory/activedirectoryintegration|]]. The Access Anywhere identity and access management features are summarized [[/iam | here]].
  
-To begin configuring the SAML 2.0 connection, you will need to ensure that SAML is enabled in your Package. To do this login as the ApplAdmin user, visit the **User Packages** screen, find the package that your Organization uses, and ensure that **SAML 2 Login System** is highlighted in the "Extra options" section+The following flows are supported: 
 +  * Service Provider Initiated Flow 
 +  * Identity Provider Initiated Flow (since release 2106.00) 
 + 
 +This document describes basic SAML 2.0 setup as well as integration with these identity providers: 
 + 
 + * Active Directory Federation Services (AD FS) 
 + * Azure Directory Services 
 + * Google Workspace (formerly G Suite).  
 + * Okta 
 + * Duo Access 
 + 
 +If you are looking for how to set up SAML integration with the SMB or Nasuni Connector please refer to [[cloudproviders/saml_for_nasuni_and_smb_mu|this page]]. 
 + 
 +===== Setting up SAML 2.0 with Access Anywhere ===== 
 +==== Enabling SAML in the Package ==== 
 + 
 +To begin configuring the SAML 2.0 connection, you will need to ensure that SAML is enabled in your Package. To do this login as the ApplAdmin user, visit the **User Packages** screen, find the package that your organization uses, and ensure that **SAML 2 Login System** is highlighted in the "Extra options" section
  
 {{ ::user_packages____edit_package___latestappliance_1808_00.png?400 |}} {{ ::user_packages____edit_package___latestappliance_1808_00.png?400 |}}
  
-Next, login as the Organization Administrator accountand visit the **Auth Systems** screen from the **Organization** menu.+==== Configuring a SAML Authentication System ==== 
 +Next, login as the Organization Administrator, visit the **Auth Systems** screen from the **Organization** menu.
  
-Under **Add Auth System**, select **SAML 2** from the dropdown beside **Auth System**.+Under **Add Auth System**, select **SAML** from the dropdown beside **Auth System**. 
  
-On this screen, you are now required to enter the specific details about your particular SAML 2 Identity Provider. The following list describes the meaning of each field.+On this screen, you are now required to enter details about your particular SAML 2.0 identity provider. The following list describes the meaning of each field, including one which will be populated automatically when the authentication system has been added.
  
-  * __Auth System Name__ - Each authentication system has a name which is provided for your reference. Enter a name you can use to identify this later on.+  * __Auth System Name__ - Each authentication system has a name that is provided for your reference. Enter a name you can use to identify this authentication system later on. 
 +\\ \\ 
 +  * __Identifier (Entity ID)__ - Unique ID that identifies your application to the SAML Identity Provider. This value must be unique across all applications in your SAML Identity Provider. The default identifier will be the audience of the SAML response for IDP-initiated SSO. (New in release 2301). 
 +\\ \\  
 +  * __Reply URL (Assertion Consumer Service URL)__ - This field will hold a URL that can be shared with the SAML system so SAML can deliver authentication tokens to the Access Anywhere server.  Access Anywhere will generate the URL and fill in the field when the authentication system has been created.  The generated value cannot be overwritten. 
 +\\ \\  
 +  * __Login button label__ - Users who are associated with this authentication system will be shown a button on the login page for them to click to perform the login. The text you supply here will be used on the button, for example, you may wish to enter "Login with AcmeCorp AD" 
 +\\ \\  
 +  * __The Service provider entity ID__ - Your identity provider will either ask you to supply an Entity ID or will generate one for you. In either case ensure that the values match between the identity provider and Access Anywhere.  
 +\\ \\  
 +  * __SSO entry point__ - Your identity provider will provide you with a URL that begins the login flow for your users with the Access Anywhere service. This can commonly be referred to as the SSO URL or SSO Login Endpoint. Enter it here. 
 +\\ \\  
 +  * __The logout service endpoint__ - Your identity provider will provide you with the Logout URL, where the Access Anywhere server will send users to when they wish to logout. Enter it here. 
 +\\ \\  
 +  * __x509 Certificate__ - Your identity provider will provide you with a certificate when you configure it for SAML. You should download that certificate and paste its entire contents into this field. 
 +\\ \\ \\  
 +=== Additional Options ===
  
-  * __Login button label__ Instead of users supplying the File Fabric with usernames and passwords, the users will be shown a button for them to click to perform the login. The text you supply here will be used on the button, for example you may wish to enter "Login with AcmeCorp AD"+  * __Force authentication__ When this option is enabled users to whom this authentication system has been assigned will not be allowed to reuse existing sessions and will have to re-authenticate to login. 
 +\\ \\  
 +  * __Sign AuthnRequest and LogoutRequest__ - If this option is enabled then authentication and logout requests will be signed. 
 +\\ \\  
 +  * Fetch user Role\Group Name by id (for Azure AD) - If you are using Azure Active Directory Federation Services, you will need to tick this option. Otherwise, leave it unchecked. 
 +\\ \\ \\  
 +=== Users Login Settings ===
  
-  * __The Service provider entity ID__ Your Identity Provider will either ask you to supply an Entity ID or will generate one for youYou should enter what your Identity Provider supplies you with here+  * __Auto create user on login__ When SAML is being used manual user import is not supported so this option should always be checked. 
 +\\ \\  
 +  * __Refresh role/group membership on login__ - When this option is enabled each user's groups/roles membership will be refreshed each time the user logs in. 
 +\\ \\  
 +  * __Auto create new roles/groups on login__ - When this option is enabled if the server discovers new roles or groups associated with a user it will automatically create corresponding Access Anywhere roles. 
 +\\ \\  
 +  * __Update user info on login__ - When this option is enabled, when a user logs in the server will compare the user's name, email address, and phone number returned by the SAML provider with the corresponding values in Access Anywhere and update the database if differences are discovered. 
 +\\ \\ \\  
 +===  SAML Users Import Fields ===
  
-  * __SSO entry point__ - Your Identity Provider will provide you with URL that begins the login flow for your users with the File Fabric service. This can commonly be referred to as the SSO URL or SSO Login Endpoint.+The Access Anywhere server requires certain pieces of information when mapping an authentication system user to user. Since the names of the fields used by identity providers to hold these values are not standardized, you will need to supply the mappings.
  
-  * __The logout service endpoint__ Your Identity Provider will provide you with the Logout URL, where SME will send users to when they wish to logout of the Enterprise File Fabric+  * __Unique User Attribute Field__ Enter the name of the identity provider field containing this information. 
 +\\ \\  
 +  * __User Login Field__ - Enter the name of the identity provider field containing this information. 
 +\\ \\  
 +  * __User Name Field__ - Enter the name of the identity provider field containing this information. 
 +\\ \\  
 +  * __User Email Field__ - Enter the name of the identity provider field containing this information. 
 +\\ \\  
 +  * __Role\Group Name Field__ - Enter the name of the identity provider field containing this information. 
 +\\ \\  
 +  * __User Phone Field__ - Enter the name of the identity provider field containing this information. 
 +\\ \\ \\  
 +===  SAML Users Import Settings ===
  
-  * __Certificate data__ Your Identity Provider will provide you with certificate when configuring your SAML Service Provider. You should download that certificate and paste its entire contents into this field. +  * __NAA Administrator role maps to__ Provide the name of a SAML group whose members should automatically be assigned the Administrator role by Access Anywhere. 
 +\\ \\  
 +  * __Restrict import of SAML users from the following roles\groups__ - If this field is left empty then Access Anywhere will import users with all roles and groups.  To prevent users with specific roles and groups from being imported, list those roles and groups here, one per line. A user will be excluded if she has at least one of the roles or groups listed here regardless of other roles or groups she may have.
  
-  * __Fetch user Role/Group__ If you are using Azure Active Directory FS servicesyou will need to tick this optionOtherwise leave it unchecked+===  SCIM 2.0 - Server Configuration === 
 +As described [[organisationcloud/scim-user-provisioning|here]]Access Anywhere implements the SCIM 2.0 protocol, allowing identity providers to automatically provision usersIf your SAML system supports SCIM and you wish to make use if it, set and use the details as described in this section.
  
-  * __Auto create user on login__ Manual user import is not possible with SAML, so this option should be checked.+  * __Enable SCIM 2.0 Server__ This switch turns SCIM integration on and off for the SAML authentication system that is being configured.  When it is set to //Yes// the SCIM configuration details will be visible.
  
-  * __Update user roles/groups on login__ The File Fabric can refresh a user's role/group membership each time they loginCheck this to ensure that this happens+  * __Tenant URL__ This value is pre-set by Access Anywhere You cannot change it.  You will need to include it in your identity provider's SCIM configuration.
  
-  * __Update user info on login__ The File Fabric can refresh users personal informationsuch as their name, each time they login. Check this to ensure that this happens+  * __Secret Token__ This value needs to be included in your identity provider's SCIM configuration. Access Anywhere will generate default valuebut you can overwrite.
  
-  * __User Import Fields__ The File Fabric requires certain pieces of information when linking a user to the platform. Since there are no field name standards with the File Fabricyou will need to supply the mappings+<WRAP center round important 100%> 
 +If you have configured more than one SCIM-enabled authentication system and you are providing your own token valuesbe sure that they are unique. 
 +</WRAP>
  
-For specific details on configuring different platforms, follow our guides below.  
  
-Once you have completed the configuration you can use the Test Settings button, and complete this by clicking **Add Auth System**.+===== Identity Provider-Specific Configuration Instructions  =====
  
 +For specific details on configuring different identity providers, follow our guides below. 
  
-===== Configuring with ADFS - Local AD =====+Once you have completed the configuration you can use the Test Settings button, and complete this by clicking **Add Auth System**. 
 +\\ \\ 
  
 + 
 +==== Configuring with AD FS - Local AD ====
 +\\ \\ 
 From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar.  From the **AD FS** management screen, click **Add Relying Party Trust...** from the sidebar. 
  
-This will open a wizard like below.+This will open a wizard:
  
 {{ ::fmt-devad01_storagemadeeasy_com.png?400 |}} {{ ::fmt-devad01_storagemadeeasy_com.png?400 |}}
  
 Click **Start** Click **Start**
 +\\ \\ 
 Click the radio button **Enter data about the relying party manually** and click **Next** Click the radio button **Enter data about the relying party manually** and click **Next**
 +\\ \\ 
 {{ ::fmt-devad01_storagemadeeasy_com2.png?400 |}} {{ ::fmt-devad01_storagemadeeasy_com2.png?400 |}}
 +\\ \\ 
 Enter an appropriate **Display name** so that you can recognise it in the future and click **Next** Enter an appropriate **Display name** so that you can recognise it in the future and click **Next**
 +\\ \\ 
 {{ ::fmt-devad01_storagemadeeasy_com3.png?400 |}} {{ ::fmt-devad01_storagemadeeasy_com3.png?400 |}}
 +\\ \\ 
 Select the **AD FS profile** radio button and click **Next**. Select the **AD FS profile** radio button and click **Next**.
 +\\ \\ 
 {{ ::fmt-devad01_storagemadeeasy_com4.png?400 |}} {{ ::fmt-devad01_storagemadeeasy_com4.png?400 |}}
 +\\ \\ 
 Under the **Configure Certificate**, leave the settings as their default settings and click **Next**. Under the **Configure Certificate**, leave the settings as their default settings and click **Next**.
 +\\ \\ 
 {{ ::fmt-devad01_storagemadeeasy_com5.png?400 |}} {{ ::fmt-devad01_storagemadeeasy_com5.png?400 |}}
 +\\ \\ 
 On the **Configure URL** screen, tick the ** Enable support for the SAML 2.0 WebSSO protocol** checkbox. On the **Configure URL** screen, tick the ** Enable support for the SAML 2.0 WebSSO protocol** checkbox.
  
-In the **Relying party SAML 2.0 SSO service URL** field, you will need to enter your appliances base URL, with "/saml.htm" appended to it. For example, if your appliace is hosted at "https://sme.example.com" you would enter "https://sme.example.com/saml.htm" in this field.  +In the **Relying party SAML 2.0 SSO service URL** field, you will need to enter your appliances base URL, with "/saml.htm" appended to it. For example, if your appliance is hosted at "https://sme.example.com" you would enter "https://sme.example.com/saml.htm" in this field.  
 +\\ \\ 
 {{ ::fmt-devad01_storagemadeeasy_com6.png?400 |}} {{ ::fmt-devad01_storagemadeeasy_com6.png?400 |}}
 +\\ \\ 
 Click **Next**. Click **Next**.
- +\\ \\  
-On the **Configure Identifiers** screen, you will need to enter the base URL for your appliance in the **Relying party trust identifier** field. For example we could enter "https://sme.example.com" then click **Add** +On the **Configure Identifiers** screen, you will need to enter the base URL for your appliance in the **Relying party trust identifier** field. For examplewe could enter "https://sme.example.com" then click **Add** 
 +\\ \\ 
 {{ ::fmt-devad01_storagemadeeasy_com7.png?400 |}} {{ ::fmt-devad01_storagemadeeasy_com7.png?400 |}}
 +\\ \\ 
 You will then be asked if you wish to **Configure Multi-factor Authentication** for this relying party trust. You may do so, but it is out of scope for this guide.  You will then be asked if you wish to **Configure Multi-factor Authentication** for this relying party trust. You may do so, but it is out of scope for this guide. 
  
 Click **Next** Click **Next**
 +\\ \\ 
 On the **Choose Issuance Authorization Rules** screen, select the **Permit all users to access this relying party** radio button.  On the **Choose Issuance Authorization Rules** screen, select the **Permit all users to access this relying party** radio button. 
 +\\ \\ 
 {{ ::fmt-devad01_storagemadeeasy_com8.png?400 |}} {{ ::fmt-devad01_storagemadeeasy_com8.png?400 |}}
 +\\ \\ 
 Click **Next** Click **Next**
 +\\ \\ 
 On the **Ready to Add Trust** screen, review the settings you have entered.  On the **Ready to Add Trust** screen, review the settings you have entered. 
  
 Click **Next** Click **Next**
 +\\ \\ 
 On the final screen, ensure that the **Open the Edit Claim Rules dialog for this relying part trust when the wizard closes** is ticked, and click **Close** On the final screen, ensure that the **Open the Edit Claim Rules dialog for this relying part trust when the wizard closes** is ticked, and click **Close**
  
 From the **Issuance Transform Rules** screen, click **Add Rule...** From the **Issuance Transform Rules** screen, click **Add Rule...**
 +\\ \\ 
 {{ ::fmt-devad01_storagemadeeasy_com9.png?400 |}} {{ ::fmt-devad01_storagemadeeasy_com9.png?400 |}}
 +\\ \\ 
 From the **Claim rule template** drop down, select **Send LDAP Attributes as Claims** and click **Next**. From the **Claim rule template** drop down, select **Send LDAP Attributes as Claims** and click **Next**.
  
Line 110: Line 178:
  
 Configure the **Mapping of LDAP attributes** as per the image below. Configure the **Mapping of LDAP attributes** as per the image below.
 +\\ \\ 
 {{ ::fmt-devad01_storagemadeeasy_com20.png?400 |}} {{ ::fmt-devad01_storagemadeeasy_com20.png?400 |}}
  
 +\\ \\ 
 Next, add another Claim Rule. Next, add another Claim Rule.
  
-From the **CLaim rule template** select **Send Group Membsership as a Claim**. Provide a **Claim rule name**. +From the **Claim rule template** select **Send Group Membership as a Claim**. Provide a **Claim rule name**. 
  
 Select the **User's group** that this applies to Select the **User's group** that this applies to
Line 122: Line 190:
 Select the **Outgoing claim type** as **Group** Select the **Outgoing claim type** as **Group**
  
-Input the **Outgoing claim value** as "group+Input the **Outgoing claim value** as "groups
 +\\ \\ 
 {{ ::fmt-devad01_storagemadeeasy_com12.png?400 |}} {{ ::fmt-devad01_storagemadeeasy_com12.png?400 |}}
 +\\ \\ 
 Close the Claim Rules dialog. Close the Claim Rules dialog.
  
 Next, visit the **Certificates** folder under **Service** Next, visit the **Certificates** folder under **Service**
 +\\ \\ 
 {{ ::fmt-devad01_storagemadeeasy_com13.png?400 |}} {{ ::fmt-devad01_storagemadeeasy_com13.png?400 |}}
 +\\ \\ 
 Double click on your certificate under the **Token-signing** section. Double click on your certificate under the **Token-signing** section.
  
 Click on the **Details** tab and click **Copy to File** Click on the **Details** tab and click **Copy to File**
 +\\ \\ 
 {{ ::fmt-devad01_storagemadeeasy_com14.png?400 |}} {{ ::fmt-devad01_storagemadeeasy_com14.png?400 |}}
 +\\ \\ 
 Click **Next** when the dialog opens. Click **Next** when the dialog opens.
 +\\ \\ 
 Select **Base-64 encoded X.509 (.CER)** as the export format. Select **Base-64 encoded X.509 (.CER)** as the export format.
  
 Click **Next** Click **Next**
 +\\ \\ 
 Select the location on disk to store the certificate and follow the prompts to complete the export.  Select the location on disk to store the certificate and follow the prompts to complete the export. 
  
-Finally, click on the **AD FS** folder on the left hand side. From the **Action** menu, select **Edit Federation Service Properties**.+Finally, click on the **AD FS** folder on the left-hand side. From the **Action** menu, select **Edit Federation Service Properties**.
  
 Copy the value from the **Federation Service identifier** field and save this.  Copy the value from the **Federation Service identifier** field and save this. 
Line 166: Line 234:
   * User Name Field => fullname   * User Name Field => fullname
   * User Email Field => email   * User Email Field => email
-  * Role\Group Name Field => role+  * Role\Group Name Field => groups
   * User Phone Field => phone   * User Phone Field => phone
 +\\ \\ 
 +==== Configuring with Azure AD Enterprise Application ====
  
-===== Configuring with ADFS - Azure AD ===== +=== Set Up Azure SAML App ===
- +
-=== Setup Azure SAML App ===+
  
 As an administrative user, log into the Azure portal: https://portal.azure.com/ As an administrative user, log into the Azure portal: https://portal.azure.com/
  
-Search and enter the page for "Enterprise Applications", Add a New Application, and select Non-gallery Application.  +Search and enter the page for "Enterprise Applications", Add a New Application. Click "Create your own application"
-{{ ::enterprise_application.png?600 |}}+
  
-{{ ::non_gallery_app.png?200 |}}+{{::azure-createapp.png?800|}} 
 +\\ \\  
 +Input a name for the application, for example **Nasuni Access Anywhere**.
  
-On the next screen we will name the application something like //Enterprise File Fabric// for the "Name" section+Select **Integrate any other application you don't find in the gallery** from the list of options.
  
 Now that the application is created, we will enable SAML for single sign-on.  Now that the application is created, we will enable SAML for single sign-on. 
 +\\ \\ 
 {{ ::enterprise_application_sso.png?600 |}} {{ ::enterprise_application_sso.png?600 |}}
  
-In "Basic SAML Configuration" we will enter the following URLs, which point to your File Fabric instance. +In "Basic SAML Configuration" we will enter the following URLs, which point to your Access Anywhere instance.  
 + 
 +Identifier (Entity ID): Server URL - ex: https://files.example.com/ 
 + 
 +Reply URL (Assertion Consumer Service URL): ex: https://files.example.com/saml.htm 
 + 
 +Next we will set up Group Claims.
  
-Identifier (Entity ID): File Fabric URL - ex: https://filefabric.fileserverapp.com/+Under **User Attributes & Claims** click **Edit**Then select **Add a group claim**.
  
-Reply URL (Assertion Consumer Service URL): ex: https://filefabric.fileserverapp.com/saml.htm+Select **All Groups** as which groups should be returned in the claim 
 +**Source Attribute** should be set to **Group ID**.
  
-Next we will setup Group Claims. 
  
-Select "All Groups" as which groups should be returned in the claim.  +---- 
-"Source Attribute" should be set to "Group ID".+ 
 +**Please Note:** Due to an internal limit within Azure AD, if a user is a member of more than 150 groups, the SAML assertion does not return any groups. Rather a link to Microsoft's Graph API is returned instead. 
 +Currently this would result in the user not being assigned to any groups within Access Anywhere.  
 + 
 +To resolve this you will need to update the Enterprise App to filter the groups just to the Roles you would like to leverage in Access Anywhere.  
 + 
 +You can achieve this either by selecting an option like "Groups assigned to the applicationand assign the relevant groups to the Enterpise App, or apply a filter to restrict based on a given prefix or suffix 
 + 
 +{{ :organisationcloud:azuread_groupclaims_filter.png?400 |}} 
 + 
 + 
 +----
  
 Once this is set, we will copy and save the URLs  Once this is set, we will copy and save the URLs 
 +\\ \\ 
 {{ ::azureadfs_setup_urls.png?600 |}} {{ ::azureadfs_setup_urls.png?600 |}}
 +\\ \\ 
 Next we will download the Certificate (Base64) from the "SAML Signing Certificate" section.  Next we will download the Certificate (Base64) from the "SAML Signing Certificate" section. 
 +\\ \\ 
 {{ ::azureadfs_downloadcert.png?600 |}} {{ ::azureadfs_downloadcert.png?600 |}}
 +\\ \\ 
 +Next we will make sure we have added the correct users and/or groups to the Enterprise Application. (only users/groups entered here will be able to log into the Access Anywhere server via this SAML integration)
 +\\ \\ 
 +{{ ::azureadfs_usersandgroups.png?600 |}}
 +\\ \\ 
 +Finally, we will ensure we are passing all the correct attributes that the Access Anywhere server needs. 
  
-Next we will make sure we have added the correct users and/or groups to the Enterprise Application. (only users/groups enetered here will be able to log into the File Fabric via this SAML integration)+In the "User Attributes & Claims" we'll add a new claim and make sure all the claims below are entered:  
 +\\ \\  
 +{{ ::azuread_saml_updatedattributeclaims.png?800| }} 
 +\\ \\  
 +Please note, in order to get the correct UPN local part for the user we will need to create a transformation for one of those attributes, like so:
  
-{{ ::azureadfs_usersandgroups.png?600 |}}+TransformationExtractMailPrefix()
  
-Finally, we will ensure we are passing all the correct attributes that the File Fabric Needs+Paramater 1: user.userprincipalname
  
-In the "User Attributes & Claims" we'll add a new claim and make sure all the claims below are entered+\\ \\  
 +{{ ::azuread_saml_loginname.png?800| }} 
 +\\ \\ 
  
-{{ ::azureadfs_userclaims.png?600 |}}+\\ \\  
 +=== Set Up The Graph API ===
  
-=== Setup Graph API ===+<WRAP center round important 100%> 
 +In appliance 2106.00, Access Anywhere switched from using the Azure AD Graph APIs that were deprecated to the newer Graph APIs. Customers running earlier appliance versions who had integrated the Azure AD Graph API must now follow the updates steps below. 
 +</WRAP>
  
-In order to get the correct group names from ADFS, we will need to enable the Azure Graph API.  
  
-In App Registrations, create a "New registration", naming it something like "EFF GraphAPI".+In order to get the correct group names from AD FS, we will need to enable the Microsoft Graph API.  
 + 
 +In App Registrations, create a "New registration", naming it something like "NAA GraphAPI".
  
 Once created, we will edit the API permissions, and "Add A Permission" Once created, we will edit the API permissions, and "Add A Permission"
  
-In the Request API Permissions screenwe will select:  +From the list, select **Microsoft Graph**. 
-Azure Active Directory Graph Application permissions >  Directory.Read.All + 
-And hit "Add permissions"+Select **Application permissions** when presented with the choice.  
 + 
 +Input "Directory.Read.All" into the search field and select the permission when returned.  
 + 
 +Click **Add permissions** 
 + 
 +These permissions will need to be granted for the organisation, by clicking the **Grant admin contest for XX Directory**. 
  
 Now we will gather the credentials.  Now we will gather the credentials. 
 In "Overview", copy the "Application (client) ID". In "Overview", copy the "Application (client) ID".
  
-In "Certificates & Secrets", click "New client secret" in "Clients Secrets" section. Set Description to something like "EFF" and decide when it expires. Now copy the new Value added in the Client Secrets section.  +In "Certificates & Secrets", click "New client secret" in "Clients Secrets" section. Set Description to something like "NAA" and decide when it expires. Now copy the new Value added in the Client Secrets section.  
- +\\ \\  
-=== Setup File Fabric Auth System ===+=== Set Up Access Anywhere Auth System ===
  
 As an Org admin, we will now enable SAML Authentication.  As an Org admin, we will now enable SAML Authentication. 
Line 240: Line 349:
 __Auth System Name__ - Azure SAML __Auth System Name__ - Azure SAML
  
-__Login Button label__ - This text field will be what is displayed in the login button on the File Fabric login page. Use something that the users will understand like “Login with Microsoft Azure”+__Login Button label__ - This text field will be what is displayed in the login button on the Access Anywhere login page. Use something that the users will understand like “Login with Microsoft Azure”
  
 __The service provider entity ID__ - Enter the "Azure AD Identifier" you saved from the Azure Enterprise Application SAML App setup screen above __The service provider entity ID__ - Enter the "Azure AD Identifier" you saved from the Azure Enterprise Application SAML App setup screen above
Line 246: Line 355:
 __SSO Entry point__ - Enter the "Login URL" you saved from the Azure Enterprise Application SAML App setup screen above __SSO Entry point__ - Enter the "Login URL" you saved from the Azure Enterprise Application SAML App setup screen above
  
-__Logout Service Endpoint__ - Enter the "Logout URL" you saved from the Azure Enterprise Application SAML App setup screen above+__Logout Service Endpoint__ - Enter **https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0**
  
 __Certificate Data__ - Enter the certificate text you downloaded from the Azure Enterprise Application SAML App setup screen above __Certificate Data__ - Enter the certificate text you downloaded from the Azure Enterprise Application SAML App setup screen above
Line 258: Line 367:
 __Auto create user on login__ - Check if you would like users to be auto provisioned when logging in via SAML __Auto create user on login__ - Check if you would like users to be auto provisioned when logging in via SAML
  
-__Update user roles/groups on login__ - Check if you would like File Fabric roles to be updated on user login+__Update user roles/groups on login__ - Check if you would like Access Anywhere roles to be updated on user login
  
 __Update user info on login__ - Check to update all user information on SAML login __Update user info on login__ - Check to update all user information on SAML login
Line 265: Line 374:
 Ensure the following mappings are set: Ensure the following mappings are set:
  
-Unique user attribute > user+User Login Field: loginname
  
-User login field > user+\\ \\  
 +{{ ::azureadfs_authsystem1.png?600 |}} 
 +\\ \\  
 +\\ \\  
 +{{ ::azure_saml_smeimportfields.png?600| }} 
 +\\ \\  
 +\\ \\  
 +=== Enabling Identity Provider Initiated Flow ===
  
-User Name field > fullname+Once your Auth System has been created in Access Anywhere, you will then be able to obtain a Reply URL. From the Auth Systems screen, copy the URL supplied next to the **Reply URL** field
  
-User email field > mail+Go back to the Enterprise Application you created within Azure, and edit the **Basic SAML Configuration**. Replace the **Reply URL** with the URL from the Auth System screen. 
  
-Role\Group name field > groups+Azure provides mechanisms to test the integration. 
  
-User Phone field > phone +Your users will be then able to access the application from here:  
 +https://myapplications.microsoft.com/ 
 +==== Configuring with Google Workspace (Formerly G Suite) ====
  
-{{ ::azureadfs_authsystem1.png?600 |}} +=== Set Up G Suite SAML App ===
-{{ ::azureadfs_authsystem2.png?600 |}} +
-===== Configuring with G Suite (Google) =====+
  
-=== Setup G Suite SAML App === +As the administrative user for your Google Workspace domain, login to the [[https://admin.google.com|Google Workspace Admin page]]. 
- +
-As the administrative user for your G Suite domain, login to the [[https://admin.google.com|Gsuite Admin panel]]. +
  
 Then Select Apps > SAML Apps from the menu on the left hand side of the screen ("hamburger menu").  Then Select Apps > SAML Apps from the menu on the left hand side of the screen ("hamburger menu"). 
 +\\ \\ 
 {{::gsuite_1.png?600|}} {{::gsuite_1.png?600|}}
 +\\ \\ 
 On the following screen, click the yellow plus (+) symbol in the bottom left to add a new SAML Application.  On the following screen, click the yellow plus (+) symbol in the bottom left to add a new SAML Application. 
 Then select "Setup my own custom app" Then select "Setup my own custom app"
  
 On the next screen you will want to save the SSO URL, Entity ID and download the certificate.  On the next screen you will want to save the SSO URL, Entity ID and download the certificate. 
 +\\ \\ 
 {{::ii_jl85yqk14_1656c9918e5ef030.png?600|}} {{::ii_jl85yqk14_1656c9918e5ef030.png?600|}}
- +\\ \\  
-On the next page enter an Application Name that matches your File Fabric system, and use any Description or Logo you would like, and click next. +On the next page enter an Application Name that matches your Access Anywhere system, and use any Description or Logo you would like, and click next. 
  
 Next fill out the "Service Provider Details" like so: Next fill out the "Service Provider Details" like so:
  
-__ACS URL__ = File Fabric URL + "/saml.htm" - ex: https://filefabric.fileserverapp.com/saml.htm+__ACS URL__ = Access Anywhere URL + "/saml.htm" - ex: https://filefabric.fileserverapp.com/saml.htm
  
-__Entity ID__ = File Fabric URL - ex: https://filefabric.fileserverapp.com/+__Entity ID__ = Access Anywhere URL - ex: https://filefabric.fileserverapp.com/
  
-__Start URL__ = File Fabric URL - ex: https://filefabric.fileserverapp.com/+__Start URL__ = Access Anywhere URL - ex: https://filefabric.fileserverapp.com/
  
 __Name ID__ = Leave as Default: Basic Information > Primary Email __Name ID__ = Leave as Default: Basic Information > Primary Email
  
 __Name Format__ = Leave as Default: Unspecified __Name Format__ = Leave as Default: Unspecified
 +\\ \\ 
 {{::gsuite_3.png?600|}} {{::gsuite_3.png?600|}}
- +\\ \\  
-We will setup the following mappings in the Attribute Mapping Section:+We will set up the following mappings in the Attribute Mapping Section:
  
 Username > Basic Information > Primary Email Username > Basic Information > Primary Email
Line 325: Line 439:
  
 upn > Basic Information > Full Name upn > Basic Information > Full Name
 +\\ \\ 
 {{::ii_jl85yqkh5_1656c9918e5ef030.png?600|}} {{::ii_jl85yqkh5_1656c9918e5ef030.png?600|}}
 +\\ \\ 
 Click Finish to complete the setup of the SAML App.  Click Finish to complete the setup of the SAML App. 
  
-Finally select the three dot menu for the app and select "ON for everyone" to enable all of your GSuite users to use this app.  +Finally select the three dot menu for the app and select "ON for everyone" to enable all of your Google Workspace users to use this app.  
 +\\ \\ 
 {{::gsuite_4.png?300|}} {{::gsuite_4.png?300|}}
- +\\ \\  
-=== File Fabric Auth System === +=== Access Anywhere Auth System === 
 +\\ \\ 
 As the Org admin, we will now enable the SAML Authentication.  As the Org admin, we will now enable the SAML Authentication. 
  
Line 344: Line 458:
 Fill in the following details: Fill in the following details:
  
-__Auth System Name__ - G Suite SAML+__Auth System Name__ - Google Workspace SAML
  
-__Login Button label__ - This text field will be what is displayed in the login button on the File Fabric login page. Use something that the users will understand like "Login with Google"+__Login Button label__ - This text field will be what is displayed in the login button on the Access Anywhere login page. Use something that the users will understand like "Login with Google"
  
 __The service provider entity ID__ - Enter the Entity ID you saved from the Google SAML App setup screen __The service provider entity ID__ - Enter the Entity ID you saved from the Google SAML App setup screen
Line 360: Line 474:
 __Auto create user on login__ - Check if you would like users to be auto provisioned when logging in via SAML __Auto create user on login__ - Check if you would like users to be auto provisioned when logging in via SAML
  
-__Update user roles/groups on login__ - Check if you would like File Fabric roles to be updated on user login+__Update user roles/groups on login__ - Check if you would like Access Anywhere roles to be updated on user login
  
 __Update user info on login__ - Check to update all user information on SAML login __Update user info on login__ - Check to update all user information on SAML login
Line 379: Line 493:
  
 User Phone field > phone User Phone field > phone
 +\\ \\ 
 {{::gsuite_5.png?600|}} {{::gsuite_5.png?600|}}
 +\\ \\ 
 Click Test and then Update to save these settings Click Test and then Update to save these settings
- +\\ \\  
-===== Configuring with Okta ===== +==== Configuring with Okta ==== 
 +\\ \\ 
 From your Okta's Administrative account, click on **Applications** from the top menu, and then click **Add Application**. From the left menu click on the **Create New App** button.  From your Okta's Administrative account, click on **Applications** from the top menu, and then click **Add Application**. From the left menu click on the **Create New App** button. 
  
Line 396: Line 510:
 On the next screen, we need to supply some basic information for the application.  On the next screen, we need to supply some basic information for the application. 
  
-For the **App Name**, provide a friendly name for the SME service, e.g. **Enterprise File Fabric**. Optionally you can also provide an **App logo** that users would recognize. +For the **App Name**, provide a friendly name for the NAAservice, e.g. **Access Anywhere**. Optionally you can also provide an **App logo** that users would recognize. 
  
 Click **Next**. Click **Next**.
Line 402: Line 516:
 On the **SAML settings** screen we want to configure the fields as follows: On the **SAML settings** screen we want to configure the fields as follows:
  
-  * __Single sign on URL__ - This should be the URI of your Enterprise File Fabric appliance, appended by "/saml.htm". For example "https://sme.example.com/saml.htm" +  * __Single sign on URL__ - This should be the URI of your Access Anywhere server, appended by /saml.htm. For example https://files.example.com/saml.htm 
-  * __Audience URI__ - This should be the URI of your Enterprise File Fabric appliance, e.g. "https://sme.example.com"+  * __Audience URI__ - This should be the URI of your Access Anywhere server, e.g. "https://files.example.com"
   * __Default RelayState__ - This should be left blank   * __Default RelayState__ - This should be left blank
   * __Name ID format__ - Select Email Address   * __Name ID format__ - Select Email Address
Line 413: Line 527:
   * In **Single Logout URL** enter the value you entered in **Audience URI**   * In **Single Logout URL** enter the value you entered in **Audience URI**
   * In **SP Issuer** enter the value you entered in **Audience URI**   * In **SP Issuer** enter the value you entered in **Audience URI**
-  * From the **Signature Certificate** upload the Signing Certificate that can be obtained from your Enterprise File Fabric appliance Auth System configuration screen. +  * From the **Signature Certificate** upload the Signing Certificate that can be obtained from your Access Anywhere appliance Auth System configuration screen. 
  
 Under **Attribute Statements** configure the mappings as follows:  Under **Attribute Statements** configure the mappings as follows: 
  
-  * Name "email", Name format "basic", Value "user.email" +  * Name "email", Name format "basic", Value 
-  * Name "fullname", Name format "basic", Value "user.login" +
-  * Name "username", Name format "basic", Value "user.login"+
  
-Under **Group Attribute Statements**, you will need to [choose which groups need to be exposed to the Enterprise File Fabric](https://help.okta.com/en/prod/Content/Topics/Apps/attribute-statements-saml.htm). +<code> user.email </code>
  
-A Groups Entry will need to be added with a name of "groups". The Value is dependant on what you would like to expose to the Enterprise File Fabric. Some examples are below:+  * Name "fullname", Name format "basic", Value 
 + 
 +<code>user.firstName + "  " + user.lastName </code> 
 + 
 +  * Name "username", Name format "basic", Value  
 + 
 +<code>user.login </code> 
 + 
 +Under **Group Attribute Statements**, you will need to [choose which groups need to be exposed to Access Anywhere](https://help.okta.com/en/prod/Content/Topics/Apps/attribute-statements-saml.htm).  
 + 
 +A Groups Entry will need to be added with a name of "groups". The Value is dependant on what you would like to expose to Access Anywhere. Some examples are below:
  
   * Contains: IT - Matches groups containing the word "IT"   * Contains: IT - Matches groups containing the word "IT"
Line 432: Line 554:
 On the **Application Details** screen, under **Sign On**, click the **View Setup Instructions** button.  On the **Application Details** screen, under **Sign On**, click the **View Setup Instructions** button. 
  
-On the File Fabric SAML Auth System screen, enter the following values:+On the Access Anywhere SAML Auth System screen, enter the following values:
  
   * The Service provider entity ID - The URI entered earlier from the **Audience URI** field   * The Service provider entity ID - The URI entered earlier from the **Audience URI** field
Line 441: Line 563:
 Before users are able to access the Okta application, Users or Groups must be assigned the application for it to be available to them.  Before users are able to access the Okta application, Users or Groups must be assigned the application for it to be available to them. 
  
-Your Okta setup with the Enterprise File Fabric is now complete. +Your Okta setup with the Access Anywhere server is now complete.  
 +\\ \\  
 +==== Configuring with Duo Access Gateway ==== 
 +\\ \\  
 +__First you will need to set up your Duo Access Gatway__ 
 +As defined here: [[https://duo.com/docs/dag-generic#create-your-cloud-application-in-duo|DAG Create your cloud application in duo]]. 
 + 
 +Service Provider Name: NAA Access Anywhere 
 + 
 +Entity ID: your Access Anywhere URL 
 + 
 +Assertion Consumer Service: your Access Anywhere url + /saml.html 
 +\\ \\  
 +{{:dag_sp_setup.png}} 
 +\\ \\  
 +Send Attributes: All 
 + 
 +a) Group name fix 
 +There is an issue with the group name (when leveraging AD as the Directory backend). By default the results that come back are the DN and not the friendly name. 
 + 
 +When you finish generating the json file you’ll edit to to update the memberof to look like so: 
 + 
 +``` 
 +            "94":
 +                "class": "core:AttributeAlter", 
 +                "subject": "memberOf", 
 +                "pattern": "/^CN=(.*?),.*/", 
 +                "replacement": "${1}" 
 +            }, 
 + 
 +``` 
 + 
 +Apply that json to your DAG. 
 + 
 + 
 +__Update DAG to return displayName (and other attributes we need)__ 
 + 
 +We need to ensure that the display name is returned: 
 + 
 +In the DAG under Authentication Source we can add displayName as one of the attributes to return: 
 +\\ \\  
 +{{:dag_authsources.png}} 
 +\\ \\  
 +__Gather info from DAG for NAAintegration__ 
 + 
 +Follow the steps as defined here: [[https://duo.com/docs/dag-generic#configure-your-service-provider|DAG - Configure Your Service Provider]] 
 +This will give you URL/IDs/Certs needed for Access Anywhere Auth System Setup. 
 + 
 +__Create Auth System in SME__ 
 + 
 +We’ll enter this data into Access Anywhere. Logged in as the Org Admin, in a package with SAML enabled, go to Organization> Auth Systems. 
 +\\ \\  
 +{{:dag_authsys1.png}} 
 +{{:dag_authsys2.png}} 
 +\\ \\  
 +This will now allow your users to click the Duo Access Gateway login button the page and login through your DAG into Access Anywhere
  
© Copyright 2024 Nasuni.