Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This article describes how to integrate OneLogin as an SSO provider with FileCloud. for SAML is an XML based open standard data format for exchanging authentication and authorization data between parties.

FileCloud

...

FileCloud acts as a Service Provider (SP) while the Customer or Partner acts as the identity provider (IdP).  FileCloud SAML SSO service is based on SAML v2.0 specifications.

 

Tip
titleActive Directory Federation Services (ADFS) Support

When SAML SSO Type is selected and ADFS is enabled in FileCloud, the FileCloud will act as a Service Provider (SP) and also a claims aware application. As a claims-aware application, FileCloud accepts claims in the form of ADFS security tokens from Federation Service, and can use ADFS claims to support Single Sign On (SSO) into FileCloud.  To specify the identity claims that are sent to the FileCloud refer to the IdP Configuration section below.

When ADFS is used, the IdP (Identity Provider) in this document refers to Active Directory Federation Server.

 

The following process explains how the user logs into a hosted FileCloud application through customer-operated SAML based SSO service.

...

:

...

Info

When IdP successfully authenticates the user account, FileCloud (SP) authentication module verifies that the user account exists in FileCloud. If the user account does not exist in FileCloud, then a new user account is created and the user is logged into FileCloud.

 

Image Removed

FileCloud: Enable SAML

Add the following alias directive in the apache configuration to enable simplesamlphp folder.

...

  1. Login into OneLogin web UI
  2. Click on Apps → Add Apps
  3. Search for "saml test connector" and select the sample connector named "SAML Test Connector (IdP)".

  4. In the add screen, enter a name to the connector. For example, something like "FileCloud Connector". Click "Save".
  5. Open the created connector and switch to "Configuration" tab.
  6. Assuming your FileCloud URL is "https://dev.company.com", fill the following values in the configuration tab.




  7. Once the configuration tab is completed, switch to "Parameters" tab.
  8. Add the following four parameters:

    Field nameFlagsValue

    givenName

    Include in SAML accertion

    First Name

    mail

    Include in SAML accertion

    Email

    snInclude in SAML accertionLast Name
    uidInclude in SAML accertionUsername




  9. Save these changes. Once the save is complete, switch to SSO tab.
  10. asd

IdP/ADFS Configuration

 

  1. In the

...

ADFS as IdP

Data can be obtained from Federation Metadata

...

Default SSO Type

...

For SAML, select SAML

...

IdP End Point URL

...

Identity Provider URL

 

...

Identity Provider URL (Entity ID)

e.g. http://yourADFSdomainName/adfs/services/trust

...

Idp Username Parameter

...

Identifies the Username (must be unique for each user)
Usually uid or agencyUID

default value: uid

NOTE: The username must be unique. If username sent by Idp is in email format,
the email prefix will be used for username. The email prefix in this case must be
unique.

 

 

...

value: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn or upn

Image Removed

...

IdP Email Parameter

...

Identifies the email of the user (must be unique)

Default value: mail

...

Identifies the email of the user (must be unique)

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress or emailaddress

Image Removed

...

IdP Given Name Parameter

...

Identifies the given name of the user

Default value: givenName

...

Identifies the given name of the user.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname or givenname

Image Removed

...

IdP Surname Parameter

...

Identifies the surname of the user

Default value: sn

...

Identifies the sur name of the user

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname or surname

Image Removed

...

IdP Meta Data

...

Identity Provider Metadata in XML Format

...

Enable ADFS

...

No

...

Yes

...

If enabled the user token expiration will be set based on Idp expiration settings

If not enabled user token expiration will be set based on FileCloud Session Timeout
(FileCloud admin UI - Settings - Server - Session Timeout in Days)

Default: No (Not enabled) 

...

If enabled the user token expiration will be set based on ADFS expiration settings

If not enabled user token expiration will be set based on FileCloud Session Timeout
(FileCloud admin UI - Settings - Server - Session Timeout in Days)

Default: No (Not enabled) 

...

Set the Log Mode for the SAML Calls.

Default Value: prod (Do not use DEV for production systems)

...

Set the Log Mode for the SAML Calls.

Default Value: prod (Do not use DEV for production systems)

 

Image Removed 

Register FileCloud as SP in IdP/ADFS

Use the following URL (Entity ID) to register FileCloud as an SP with IdP or ADFS.  The URL below also provides the metadata of the FileCloud SP.

Info

http://<Your Domain>/simplesaml/module.php/saml/sp/metadata.php/default-sp

 

                   

There are two ways users get redirected to the Identity Provider’s SAML Single Sign On page from the FileCloud Web browser interface.

  1. Using the Single Sign-On link on the Login Page.
  2. Using Direct URL to go to customer’s SAML SSO page.

In order to display the Single Sign On link on the FileCloud Web browser user interface, the Show SSO link under the Customization must be checked. On clicking the Single Sign-On link on the login page, user browser will get redirected to the SAML SSO Service web page. 

Image Removed

 

Image Removed

In order to skip the login page, go to cloudconfig.php file under the <PATH TO FileCloud WEBROOT>/config folder and add the following line.

...

 

Starting with FileCloud 13.0, FileCloud admin interface also supports Single Sign On. SSO can be used to login into admin interface for all users who have an account with the Identity Provider.

 

Image Removed 

As an alternate option, users can completely skip the FileCloud login page and directly go to the SSO login page when coming to http://yourfileclouddomain  URL.  

In order to skip the login page, go to cloudconfig.php file under the <PATH TO FileCloud WEBROOT>/config folder and add the following line.

...

SSO for FileCloud Clients

Normally SSO works in Webbrowser. FileCloud clients such as FileCloud Sync and Drive does not support Single Sign On directly.  Please see the documentation here to support SSO on desktop Clients

Info
titleNote
At this point, SSO is not supported for mobile devices such as iOS or Android. 

Troubleshooting

...

When FileCloud is hosted behind a proxy server, SAML will not automatically work.

Go to <FileCloud WEB ROOT>/thirdparty/simplesaml/config/filecloudconfig.php

Add Proxy Server Information here.

Format is as follows user:password@yourproxyserverurl.com

define("TONIDOCLOUD_SAML_PROXY", "ADD PROXY INFO HERE");

...

After setting SAML log level to DEV. Log file will be created under <FileCloud WEB ROOT>/thirdparty/simplesaml/log/simplesamlphp.log

SimpleSAML_Error_Exception: Error 2 - strftime(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function.

Solution: date.timezone setting must be set explicitly in php.ini

 

...

When FileCloud is hosted behind a proxy server, SAML will not automatically work.

Go to <FileCloud WEB ROOT>/thirdparty/simplesaml/config/config.php

set the base url to 'baseurlpath' => 'http(s)://YOURFILECLOUDOMAIN/simplesaml/'

...

In this scenario, SimpleSAML will most likely not work with default configuration and will require to run Memcache to manage the session.

Go to <FileCloud WEB ROOT>/thirdparty/simplesaml/config/config.php

set the store.type => memcache

and set

'memcache_store.servers' => array(
array(
array('hostname' => 'localhost'),
),
),

where 'localhost' must be replaced with IP of memcache server as appropriate.

 

Best Practices

...

FileCloud application may be vulnerable to an open redirect when SSO is implemented. An open redirect is an application vulnerability that takes a parameter and redirects the user to the supplied parameter value without any validation.

This can be avoided by setting 'trusted.url.domains' => array() in <FileCloud WEB ROOT>/thirdparty/simplesaml/config/config.php

...

FileCloud admin interface can possibly allow 2 administrative login interfaces. one at admin API interface /admin and one at simpleSAML admin resource /simpleSAML.

This can be avoided by changing the log level to "PROD" in SSO settings under settings in FileCloud admin interface. This will disable the SSO admin page under simpleSAML.

The password to the SSO admin page under /simpleSAML can be changed under 'auth.adminpassword' key in <FileCloud WEB ROOT>/thirdparty/simplesaml/config/config.php

...

 

 

 

  1. SSO tab, note "Issuer URL".
  2. Download the metadata file from "More Actions" → "SAML Metadata".
    Image Added
  3. Finally, add users to the newly created "FileCloud Connector" either individually or as group.

FileCloud: SSO Configuration

  1. Login into FileCloud admin UI.
  2. Navigate to Settings → SSO tab.
  3. Select default SSO type to be SSO.
  4. Use the following table to fill the SAML configuration.

    SAML SettingsValue

    IdP Endpoint URL

    "Issuer URL" noted in the previous section in OneLogin SSO tab

    IdP Username Parameter

    uid
    IdP Email Parametermail
    IdP Given ParametergivenName
    IdP Surname Parametersn
    IdP Meta DataCopy and the paste the contents of SAML metadata from OneLogin web UI.



  5. Save the changes