Follow

Configuring ADFS SAML 2.0

Overview

 

For the FilesAnywhere application with Single Sign On feature enabled, below is the information required for Active directory setup:

Client ID

<<CLIENT_ID>>

COMMON URL

<<WEBURL>>

 

The Customer Active Directory Administrator needs to configure the FilesAnywhere application as a Trusted Relying party application as per below documentation.

Things to note:

  • Replace <<CLIENTID>> with your Client ID, I.E. 1324
  • Replace <<WEBURL>> with your Site URL, I.E. https://private.filesanywhere.com
  • While doing cut and paste from the document, please remove any leading and trailing spaces.

 

 

General ADFS Setup

The steps below uses dev-dc001.dev.faw as the ADFS 2.0 Web site. Replace this name with your ADFS 2.0 Web site address.

  1. Log into the ADFS 2.0 server
  2. Open the ADFS management console (Server Manager -> Dashboard -> Tools -> ADFS Management).
  3. Right-click Serviceand choose Edit Federation Service Properties...
    01.png

 

  1. Take note of the Federation Service Identifier, since this will be needed for the FilesAnywhere SAML 2.0 configuration settings.
    02.png


 

Export your Token Signing Certificate

  1. Open the ADFS management console
  2. Navigate to ADFS -> Service -> Certificates
  3. Click on your Token Signing Certificate
  4. Right click and Select View Certificate
  5. Select the Details
    03.png

 

  1. Click Copy to File… (Certificate Export Wizard opens)
    04.png

  2. Select Next
  3. On Export File Format select DER encoded binary X.509 (.CER) and click Next
    05.png

 

  1. Input save location and give it a file name. Click Next
  2. Click Finish
  3. FilesAnywhere requires that this certificate be in PEM format. You can convert this certificate using client tools or online tools such as SSL Shopper (https://www.sslshopper.com/ssl-converter.html).
    1. Input your exported certificate (.CER)
    2. Select Type of Current Certificate as DER/Binary
    3. Select Type To convert To as PEM
    4. Click Convert Certificate (It will download a file with extension .crt)
    5. Provide this file to FilesAnywhere

 

 

Add Relying Party Trust for FilesAnywhere web app

  1. Open the ADFS management console
  2. Navigate to AD FS -> Trust Relationships -> Relying Party Trusts
  3. Right Click and select Add Relying Party Trust…(It will start Add relying Party Trust Wizard)
  4. Click Start on Welcome step
    06.png

  5. Select Enter data about the relying party manually and click Next
    07.png 

  6. Display name as FAWADFSWEB<<CLIENTID>> and click Next on Specify Display Name
    08.png
     
  7. Select ADFS Profile on Choose Profile step and click Next
    09.png
     
  8. Click Next on Configure Certificate step
    10.png

  9. Select Enable Support for the SAML 2.0 Web SSO protocol and input Relying party SAML2.0 SSO service URL as <<WEBURL>>saml.aspx?c=<<CLIENT_ID>> . Click Next
    11.png
  10. Input FAWADFSWEB<<CLIENTID>> into Relying party trust identifier, click on add and click Next
    12.png

  11. Select Permit all users to access this relying party on Choose Issuance Authorization Rules step and click Next

(If you have windows 2012, Select  “I do not want to configure multi-factor authentication settings for this relying party trust at this time.” and click Next.)
13.png
 

  1. Review data on Ready to Add Trust step and click Next

 

  1. Uncheck Open the Edit claim rules …… option and Click Close
    14.png
     

 

 

Add Relying Party Trust for API integration

  1. Open the ADFS management console
  2. Navigate to AD FS -> Trust Relationships -> Relying Party Trusts
  3. Right Click and select Add Relying Party Trust…(It will start Add relying Party Trust Wizard)
  4. Click Start on Welcome step
    15.png

  5. Select Enter data about the relying party manually and click Next
    16.png

  6. Display name as FAWADFSAPI<<CLIENTID>> and click Next on Specify Display Name step
    17.png
     
  7. Select ADFS Profile on Choose Profile step and click Next
    18.png
     
  8. Click Next on Configure Certificate step
    19.png
     
  9. Select Enable Support for the SAML 2.0 Web SSO protocol and input Relying party SAML2.0 SSO service URL as <<WEBURL>>SAML.aspx?RelayState=API&c=<<CLIENT_ID>> . Click Next
    20.png
     
  10. Input FAWADFSAPI<<CLIENTID>> into Relying party trust identifier, Add and click Next
    21.png
     
  11. Select Permit all users to access this relying party on Choose Issuance Authorization Rules step and click Next
    22.png
     
  12. Review data on Ready to Add Trust step and click Next

 

  1. Uncheck Open the Edit claim rules …… option and Click Close
    23.png
     

 

Add Relying Party Trust for Mobile Web app (m.filesanywhere.com)

  1. Open the ADFS management console
  2. Navigate to AD FS -> Trust Relationships -> Relying Party Trusts
  3. Right Click and select Add Relying Party Trust…(It will start Add relying Party Trust Wizard)
  4. Click Start on Welcome step
    24__m4_.png
     
  5. Select Enter data about the relying party manually and click Next
    25.png
     
  6. Display name as FAWADFSMOBILEWEB<<CLIENTID>> and click Next on Specify Display Name step
    26.png
     
  7. Select ADFS Profile on Choose Profile step and click Next
    27.png
     
  8. Click Next on Configure Certificate step
    28.png
     
  9. Select Enable Support for the SAML 2.0 Web SSO protocol and input Relying party SAML2.0 SSO service URL as https://m.filesanywhere.com/SSOLogin.aspx . Click Next
    29.png
     
  10. Input FAWADFSMOBILEWEB<<CLIENTID>> into Relying party trust identifier and click ADD and Next
    30.png
     
  11. Select Permit all users to access this relying party on Choose Issuance Authorization Rules step and click Next
    31.png
     
  12. Review data on Ready to Add Trust step and click Next

     
  13. Uncehck Open the Edit claim rules …… option and Click Close
    32.png
     

 

 

Configure Claim Rules

Note: Claim rules need to be configured individually for all the Relying party trusts added:

  1. FAWADFSWEB<<CLIENTID>>
  2. FAWADFSAPI<<CLIENTID>>
  3. FAWADFSMOBILEWEB<<CLIENTID>>

     

Add Custom rules to get all required attributes from Active directory

 

  1. Click on Add Rule
    33__ccr01_.png
     
  2. Select Send Claims using custom Rule on Choose Rule Type step and click Next
    34.png
     
  3. Specify Claim rule name to CustomRule1 and paste below formula in Custom rule
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.filesanywhere.com/identity/claims/distinguishedName", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/claims/Group", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";displayName,mail,givenName,distinguishedName,sn,tokenGroups(longDomainQualifiedName),userPrincipalName;{0}", param = c.Value);
    35.png
     

 

  1. Click Finish.

 

 

Add Custom rule to get ClientID

 

  1. Click on Add Rule
    36.png
     
  2. Select Send Claims using custom Rule on Choose Rule Type step and click Next
    37.png
     
  3. Specify Claim rule name to CustomRule2 and paste below formula in Custom rule:
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
    => issue(Type = "http://filesanywhere.org/claims/ClientID", Value = "<<CLIENT_ID>>");
    38.png
     
  4. Click Finish.
  5. Click OK
    39.png
     

 

Configure secure hash algorithm

 

  1. Login to ADFS server
  2. Navigate to ADFS Management (ADFS-> Relying Party Trust)
  3. Right click on all the Relying party trust added for FAWADFSWEB<<CLIENTID>> and select the Properties
  4. Navigate to Advanced Tab and select Secure hash algorithm to SHA-1 and click OK

     
  5. Set Secure hash algorithm for Relying party trust FAWADFSAPI<<CLIENTID>> to SHA-1 using step # 1-4.
  6. Set Secure hash algorithm for Relying party trust FAWADFSMOBILEWEB<<CLIENTID>> to SHA-1 using step # 1-4.

 

 

Authorization for a Group

If the customer wants to restrict access of the FilesAnywhere application to a specific group in the active directory then the following configuration needs to be repeated for each AD group that the customer wants to restrict access to.

  1. Get the group SID for group.
  2. Update your group name in below command at highlighted place:
    dsquery group -name Support | dsget group -sid
  3. Open the command prompt and run the below command for your group:
    41.png

  4. Note down the Group SID.
  5. Open the ADFS management console
  6. Navigate to AD FS -> Trust Relationships -> Relying Party Trusts
  7. Right click on the Relying Party trust added in above steps and Select Edit Claim Rules…
    42.png

  8. Select Issuance Authorization Rules remove existing rule(Permit Access to all Users)
    43.png
     
  9. Click Add Rule… and Select Claim Rule Template as Send Claims Using a Custom Rule and click Next
    44.png
     
  10. Update below formula using your specific Group_SID (Collected using step 1 to 4) and put in custom rule and click Finish.
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "^(?i)GROUP_SID$"]
    => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
    45.png

Note:

  1. This configuration (Authorization for a group) needs to be repeated for all the Trust party relations which has been added i.e.:

FAWADFSWEB<<CLIENTID>>

FAWADFSAPI<<CLIENTID>>

FAWADFSMOBILEWEB<<CLIENTID>>

  1. If the customer desires to have the FilesAnywhere account automatically created for a new user logging in with their AD credentials (instead of it first being created manually in the admin console), then, they will have to enable “user self-enrollment” from the “Single-Sign-On (SSO) Settings” tab of the “Site Configuration” section of the Admin Console. Moreover, if there exists a FilesAnywhere Group whone name is exactly the same as the AD group, the user will automatically be assigned the permissions to the shared folders within this group.

 

 

 

Information to be provided to FilesAnywhere

Please click here to provide below information to FilesAnywhere

  1. Federation Service Identifier gathered in General ADFS setup
  2. Exported Token signing certificate in PEM format
  3. Update below highlighted value with ADFS domain name and verify that below URL should be working in your network and you are getting ADFS signup page:
    https://<ADFS federation service domain name>/adfs/ls/IdpInitiatedSignOn.aspx

 

Additional Information

  1. Once the Single Sign On is enabled for Customer account then they will get Use Company Credentials / SSO button on their login page.
    1. All SSO users will use Use Company Credentials / SSO button to login into FilesAnywhere and in all apps (Android App, iPhone App, Outlook add-ins, Mobile web app)
    2. All Non SSO users will use Login button to signin into FilesAnywhere.

 

  1. SSO users will not be able to use FTPS/SFTP with company credentials and these services will be disabled for them.

 

 

Still Have Questions?

If you need help or have additional questions, please contact us.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk