Overview
For the FilesAnywhere application with Single Sign On feature enabled, below is the information required for Active directory setup:
Client ID |
<<CLIENT_ID>> |
COMMON URL |
<<WEBURL>> |
The Customer Active Directory Administrator needs to configure the FilesAnywhere application as a Trusted Relying party application as per below documentation.
Things to note:
- Replace <<CLIENTID>> with your Client ID, I.E. 1324
- Replace <<WEBURL>> with your Site URL, I.E. https://private.filesanywhere.com
- While doing cut and paste from the document, please remove any leading and trailing spaces.
General ADFS Setup
The steps below uses dev-dc001.dev.faw as the ADFS 2.0 Web site. Replace this name with your ADFS 2.0 Web site address.
- Log into the ADFS 2.0 server
- Open the ADFS management console (Server Manager -> Dashboard -> Tools -> ADFS Management).
- Right-click Serviceand choose Edit Federation Service Properties...
- Take note of the Federation Service Identifier, since this will be needed for the FilesAnywhere SAML 2.0 configuration settings.
Export your Token Signing Certificate
- Open the ADFS management console
- Navigate to ADFS -> Service -> Certificates
- Click on your Token Signing Certificate
- Right click and Select View Certificate
- Select the Details
- Click Copy to File… (Certificate Export Wizard opens)
- Select Next
- On Export File Format select DER encoded binary X.509 (.CER) and click Next
- Input save location and give it a file name. Click Next
- Click Finish
- FilesAnywhere requires that this certificate be in PEM format. You can convert this certificate using client tools or online tools such as SSL Shopper (https://www.sslshopper.com/ssl-converter.html).
- Input your exported certificate (.CER)
- Select Type of Current Certificate as DER/Binary
- Select Type To convert To as PEM
- Click Convert Certificate (It will download a file with extension .crt)
- Provide this file to FilesAnywhere
Add Relying Party Trust for FilesAnywhere web app
- Open the ADFS management console
- Navigate to AD FS -> Trust Relationships -> Relying Party Trusts
- Right Click and select Add Relying Party Trust…(It will start Add relying Party Trust Wizard)
- Click Start on Welcome step
- Select Enter data about the relying party manually and click Next
- Display name as FAWADFSWEB<<CLIENTID>> and click Next on Specify Display Name
- Select ADFS Profile on Choose Profile step and click Next
- Click Next on Configure Certificate step
- Select Enable Support for the SAML 2.0 Web SSO protocol and input Relying party SAML2.0 SSO service URL as <<WEBURL>>saml.aspx?c=<<CLIENT_ID>> . Click Next
- Input FAWADFSWEB<<CLIENTID>> into Relying party trust identifier, click on add and click Next
- Select Permit all users to access this relying party on Choose Issuance Authorization Rules step and click Next
(If you have windows 2012, Select “I do not want to configure multi-factor authentication settings for this relying party trust at this time.” and click Next.)
- Review data on Ready to Add Trust step and click Next
- Uncheck Open the Edit claim rules …… option and Click Close
Add Relying Party Trust for API integration
- Open the ADFS management console
- Navigate to AD FS -> Trust Relationships -> Relying Party Trusts
- Right Click and select Add Relying Party Trust…(It will start Add relying Party Trust Wizard)
- Click Start on Welcome step
- Select Enter data about the relying party manually and click Next
- Display name as FAWADFSAPI<<CLIENTID>> and click Next on Specify Display Name step
- Select ADFS Profile on Choose Profile step and click Next
- Click Next on Configure Certificate step
- Select Enable Support for the SAML 2.0 Web SSO protocol and input Relying party SAML2.0 SSO service URL as <<WEBURL>>SAML.aspx?RelayState=API&c=<<CLIENT_ID>> . Click Next
- Input FAWADFSAPI<<CLIENTID>> into Relying party trust identifier, Add and click Next
- Select Permit all users to access this relying party on Choose Issuance Authorization Rules step and click Next
- Review data on Ready to Add Trust step and click Next
- Uncheck Open the Edit claim rules …… option and Click Close
Add Relying Party Trust for Mobile Web app (m.filesanywhere.com)
- Open the ADFS management console
- Navigate to AD FS -> Trust Relationships -> Relying Party Trusts
- Right Click and select Add Relying Party Trust…(It will start Add relying Party Trust Wizard)
- Click Start on Welcome step
- Select Enter data about the relying party manually and click Next
- Display name as FAWADFSMOBILEWEB<<CLIENTID>> and click Next on Specify Display Name step
- Select ADFS Profile on Choose Profile step and click Next
- Click Next on Configure Certificate step
- Select Enable Support for the SAML 2.0 Web SSO protocol and input Relying party SAML2.0 SSO service URL as https://m.filesanywhere.com/SSOLogin.aspx . Click Next
- Input FAWADFSMOBILEWEB<<CLIENTID>> into Relying party trust identifier and click ADD and Next
- Select Permit all users to access this relying party on Choose Issuance Authorization Rules step and click Next
- Review data on Ready to Add Trust step and click Next
- Uncehck Open the Edit claim rules …… option and Click Close
Configure Claim Rules
Note: Claim rules need to be configured individually for all the Relying party trusts added:
- FAWADFSWEB<<CLIENTID>>
- FAWADFSAPI<<CLIENTID>>
- FAWADFSMOBILEWEB<<CLIENTID>>
Add Custom rules to get all required attributes from Active directory
- Click on Add Rule
- Select Send Claims using custom Rule on Choose Rule Type step and click Next
- Specify Claim rule name to CustomRule1 and paste below formula in Custom rule
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.filesanywhere.com/identity/claims/distinguishedName", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/claims/Group", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";displayName,mail,givenName,distinguishedName,sn,tokenGroups(longDomainQualifiedName),userPrincipalName;{0}", param = c.Value);
- Click Finish.
Add Custom rule to get ClientID
- Click on Add Rule
- Select Send Claims using custom Rule on Choose Rule Type step and click Next
- Specify Claim rule name to CustomRule2 and paste below formula in Custom rule:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(Type = "http://filesanywhere.org/claims/ClientID", Value = "<<CLIENT_ID>>");
- Click Finish.
- Click OK
Configure secure hash algorithm
- Login to ADFS server
- Navigate to ADFS Management (ADFS-> Relying Party Trust)
- Right click on all the Relying party trust added for FAWADFSWEB<<CLIENTID>> and select the Properties
- Navigate to Advanced Tab and select Secure hash algorithm to SHA-1 and click OK
- Set Secure hash algorithm for Relying party trust FAWADFSAPI<<CLIENTID>> to SHA-1 using step # 1-4.
- Set Secure hash algorithm for Relying party trust FAWADFSMOBILEWEB<<CLIENTID>> to SHA-1 using step # 1-4.
Authorization for a Group
If the customer wants to restrict access of the FilesAnywhere application to a specific group in the active directory then the following configuration needs to be repeated for each AD group that the customer wants to restrict access to.
- Get the group SID for group.
- Update your group name in below command at highlighted place:
dsquery group -name Support | dsget group -sid - Open the command prompt and run the below command for your group:
- Note down the Group SID.
- Open the ADFS management console
- Navigate to AD FS -> Trust Relationships -> Relying Party Trusts
- Right click on the Relying Party trust added in above steps and Select Edit Claim Rules…
- Select Issuance Authorization Rules remove existing rule(Permit Access to all Users)
- Click Add Rule… and Select Claim Rule Template as Send Claims Using a Custom Rule and click Next
- Update below formula using your specific Group_SID (Collected using step 1 to 4) and put in custom rule and click Finish.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "^(?i)GROUP_SID$"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
Note:
- This configuration (Authorization for a group) needs to be repeated for all the Trust party relations which has been added i.e.:
FAWADFSWEB<<CLIENTID>>
FAWADFSAPI<<CLIENTID>>
FAWADFSMOBILEWEB<<CLIENTID>>
- If the customer desires to have the FilesAnywhere account automatically created for a new user logging in with their AD credentials (instead of it first being created manually in the admin console), then, they will have to enable “user self-enrollment” from the “Single-Sign-On (SSO) Settings” tab of the “Site Configuration” section of the Admin Console. Moreover, if there exists a FilesAnywhere Group whone name is exactly the same as the AD group, the user will automatically be assigned the permissions to the shared folders within this group.
Information to be provided to FilesAnywhere
Please click here to provide below information to FilesAnywhere
- Federation Service Identifier gathered in General ADFS setup
- Exported Token signing certificate in PEM format
- Update below highlighted value with ADFS domain name and verify that below URL should be working in your network and you are getting ADFS signup page:
https://<ADFS federation service domain name>/adfs/ls/IdpInitiatedSignOn.aspx
Additional Information
- Once the Single Sign On is enabled for Customer account then they will get Use Company Credentials / SSO button on their login page.
- All SSO users will use Use Company Credentials / SSO button to login into FilesAnywhere and in all apps (Android App, iPhone App, Outlook add-ins, Mobile web app)
- All Non SSO users will use Login button to signin into FilesAnywhere.
- SSO users will not be able to use FTPS/SFTP with company credentials and these services will be disabled for them.
Still Have Questions?
If you need help or have additional questions, please contact us.
0 Comments