Skip to end of metadata
Go to start of metadata

Introduction

SAML is an XML based open standard data format for exchanging authentication and authorization data between parties.

FileCloud supports SAML (Security Assertion Markup Language) based web browser Single Sign On (SSO) service that provides full control over the authorization and authentication of hosted user accounts that can access FileCloud Web based interface.

FileCloud acts as a Service Provider (SP) while the Customer or Partner acts as the identity provider (IdP).  FileCloud SAML SSO service is based on SAML v2.0 specifications.

 

Active Directory Federation Services (ADFS) Support

When SAML SSO Type is selected and ADFS is enabled in FileCloud, the FileCloud will act as a Service Provider (SP) and also a claims aware application. As a claims-aware application, FileCloud accepts claims in the form of ADFS security tokens from Federation Service, and can use ADFS claims to support Single Sign On (SSO) into FileCloud.  To specify the identity claims that are sent to the FileCloud refer to the IdP Configuration section below.

When ADFS is used, the IdP (Identity Provider) in this document refers to Active Directory Federation Server.

 

The following process explains how the user logs into a hosted FileCloud application through customer-operated SAML based SSO service.

The image illustrates the following steps:-

  1. User attempts to reach the hosted FileCloud application through the URL.
  2. FileCloud generates a SAML authentication request. The SAML request is embedded into the URL for the customer’s SSO Service.
  3. FileCloud sends a redirect to the user’s browser. The redirect URL includes the SAML authentication request and is submitted to customer’s SSO Service.
  4. The Customer’s SSO Service authenticates the user based on valid login credentials.
  5. Customer generates a valid SAML response and returns the information to the User’s browser
  6. The customer SAML response is redirected to FileCloud.
  7. FileCloud authentication module verifies the SAML response.
  8. If the User is successfully authenticated, the user will be successfully logged into FileCloud.

When IdP successfully authenticates the user account, FileCloud (SP) authentication module verifies that the user account exists in FileCloud. If the user account does not exist in FileCloud, then a new user account is created and the user is logged into FileCloud.

 

SAML SSO Configuration Steps

In order to successfully configure SAML SSO, the following steps must be followed.

  1. Configure Apache Webserver
  2. Set SAML as a the default Single Sign On Method in FileCloud Interface.
  3. Configure IdP settings in the FileCloud Admin Interface
  4. Register the FileCloud as a Service Provider (SP) with the IdP
  5. Enable Single Sign On Link on the login page.

Web Server Configuration

Add the Alias directive to the simplesamlphp folder.

Add the following line to the apache configuration file.

Alias /simplesaml "<PATH TO FileCloud WEBROOT>/thirdparty/simplesaml/www"

Where "<PATH TO FileCloud WEBROOT>" refers to WEB ROOT Folder where FileCloud is installed.

 

Following are the typical entries in Linux and windows, but can change if the FileCloud is installed under a different WEB ROOT Folder.

OSInstructions
Windows

Open the Config file from the FileCloud control panel as shown in the screen

Add the following line at the end of the config file (httpd.conf)

Alias /simplesaml "/xampp/htdocs/thirdparty/simplesaml/www"

Save the file and Stop and Start the Webserver from the FileCloud Control Panel.

Linux

Go to /etc/apache2/sites-enabled/000-default.conf

Add the following line within <VirtualHost *:80> for HTTP connection or <VirtualHost *.443> for HTTPS connection. You can place it under the line DocumentRoot /var/www

Alias /simplesaml /var/www/thirdparty/simplesaml/www

Restart the apache webserver. /etc/init.d/apache2 restart

 

Pre-requisite: mcrypt module must be installed on the FileCloud Server. In Windows, it should be installed by default. In Linux, if mcrypt is not installed, it must be installed

IdP/ADFS Configuration

 

In the FileCloud Admin Interface – Settings => SSO => SSOType the default FileCloud SSO Type must be set to SAML.  Other parameters must be set as per your IdP settings.

FileCloud ParametersIdP Settings

ADFS as IdP

Data can be obtained from Federation Metadata

Default SSO Type

For SAML, select SAML

For ADFS, select SAML

IdP End Point URL

Identity Provider URL

 

Identity Provider URL (Entity ID)

e.g. http://yourADFSdomainName/adfs/services/trust

Idp Username Parameter

Identifies the Username (must be unique for each user)
Usually uid or agencyUID

default value: uid

NOTE: The username must be unique. If username sent by Idp is in email format,
the email prefix will be used for username. The email prefix in this case must be
unique.

 

 

Identifies the Username (must be unique for each user)
Usually SAMAccountName or User Principal Name defined in claim rules.

NOTE: The username must be unique. If username sent by Idp is in email format,
the email prefix will be used for username. The email prefix in this case must be
unique. 

value: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn or upn

IdP Email Parameter

Identifies the email of the user (must be unique)

Default value: mail

Identifies the email of the user (must be unique)

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress or emailaddress

IdP Given Name Parameter

Identifies the given name of the user

Default value: givenName

Identifies the given name of the user.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname or givenname

IdP Surname Parameter

Identifies the surname of the user

Default value: sn

Identifies the sur name of the user

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname or surname

IdP Meta Data

Identity Provider Metadata in XML Format

Federation Metadata in xml format

Enable ADFS

No

Yes

User login token expiration match Idp expiration

If enabled the user token expiration will be set based on Idp expiration settings

If not enabled user token expiration will be set based on FileCloud Session Timeout
(FileCloud admin UI - Settings - Server - Session Timeout in Days)

Default: No (Not enabled) 

If enabled the user token expiration will be set based on ADFS expiration settings

If not enabled user token expiration will be set based on FileCloud Session Timeout
(FileCloud admin UI - Settings - Server - Session Timeout in Days)

Default: No (Not enabled) 

Log Mode

Set the Log Mode for the SAML Calls.

Default Value: prod (Do not use DEV for production systems)

Set the Log Mode for the SAML Calls.

Default Value: prod (Do not use DEV for production systems)

 

 

Register FileCloud as SP in IdP/ADFS

Use the following URL (Entity ID) to register FileCloud as an SP with IdP or ADFS.  The URL below also provides the metadata of the FileCloud SP.

 

                   

There are two ways users get redirected to the Identity Provider’s SAML Single Sign On page from the FileCloud Web browser interface.

  1. Using the Single Sign-On link on the Login Page.
  2. Using Direct URL to go to customer’s SAML SSO page.

In order to display the Single Sign On link on the FileCloud Web browser user interface, the Show SSO link under the Customization must be checked. On clicking the Single Sign-On link on the login page, user browser will get redirected to the SAML SSO Service web page. 

 

 


In order to skip the login page, go to cloudconfig.php file under the <PATH TO FileCloud WEBROOT>/config folder and add the following line.

define("TONIDOCLOUD_SSO_DIRECT", "1");

The value 1 implies to skip the FileCloud login page and display the SSO login page directly. Value 0 implies, show the FileCloud login page. 

 

Starting with FileCloud 13.0, FileCloud admin interface also supports Single Sign On. SSO can be used to login into admin interface for all users who have an account with the Identity Provider.

 

 

As an alternate option, users can completely skip the FileCloud login page and directly go to the SSO login page when coming to http://yourfileclouddomain  URL.  

In order to skip the login page, go to cloudconfig.php file under the <PATH TO FileCloud WEBROOT>/config folder and add the following line.

define("TONIDOCLOUD_SSO_DIRECT_ADMIN", "0");

The value 1 implies to skip the FileCloud login page and display the SSO login page directly. Value 0 implies, show the FileCloud login page. 

 

Troubleshooting

IssueSolution
FileCloud is hosted behind a Proxy

When FileCloud is hosted behind a proxy server, SAML will not automatically work.

Go to <FileCloud WEB ROOT>/thirdparty/simplesaml/config/filecloudconfig.php

Add Proxy Server Information here.

Format is as follows user:password@yourproxyserverurl.com

define("TONIDOCLOUD_SAML_PROXY", "ADD PROXY INFO HERE");

System Timezone Settings

After setting SAML log level to DEV. Log file will be created under <FileCloud WEB ROOT>/thirdparty/simplesaml/log/simplesamlphp.log

SimpleSAML_Error_Exception: Error 2 - strftime(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function.

Solution: date.timezone setting must be set explicitly in php.ini

 

FileCloud is hosted behing a reverse proxy

When FileCloud is hosted behind a proxy server, SAML will not automatically work.

Go to <FileCloud WEB ROOT>/thirdparty/simplesaml/config/config.php

set the base url to 'baseurlpath' => 'http(s)://YOURFILECLOUDOMAIN/simplesaml/'


 

Best Practices

IssueDetails
Open Redirect

FileCloud application may be vulnerable to an open redirect when SSO is implemented. An open redirect is an application vulnerability that takes a parameter and redirects the user to the supplied parameter value without any validation.

This can be avoided by setting 'trusted.url.domains' => array() in <FileCloud WEB ROOT>/thirdparty/simplesaml/config/config.php

Admin Login Resources Available

FileCloud admin interface can possibly allow 2 administrative login interfaces. one at admin API interface /admin and one at simpleSAML admin resource /simpleSAML.

This can be avoided by changing the log level to "PROD" in SSO settings under settings in FileCloud admin interface. This will disable the SSO admin page under simpleSAML.

The password to the SSO admin page under /simpleSAML can be changed under 'auth.adminpassword' key in <FileCloud WEB ROOT>/thirdparty/simplesaml/config/config.php

  

 

 

  • No labels