One of the most common questions we receive client companies adopt ShareFile is how to enable SSO with using ShareFile Active Directory identification information. Not surprising:. Single sign-on is not only a huge boost to the user experience, but also improve governance
Your first option should be CloudGateway. CloudGateway uses SAML for single sign-on, manages procurement account, providing administration workflow integrates with Citrix Receiver, and more. We just released a connector for Sharefile makes this super easy configuration.
If you can not use CloudGateway, another option is Active Directory Federation Services 2.0 (AD FS 2.0). ADFS 2.0 is a downloadable component for Windows 08 and 08 R2. It is fairly easy to deploy, but there are several configuration steps that require specific channels, certificates, URLs, etc. Get straight can be difficult.
I figured a step by step guide could save people a lot of time! So here you go: How to configure AD FS 2.0 for SSO with Sharefile.com
You can skip to Step 4 if you have already deployed AD FS 2.0
Step 1 ..: federation Service certificate
Each AD FS deployment is identified by a DNS name - I will use adfs.mydomain.com as an example for the rest of this blog . You will need a certificate issued Name Subject before starting. This identifier is a name visible from the outside, so be sure to choose something suitable to represent your business partners. Also, do not use this name as a host name of the server and -. It will cause trouble with Princiapal Service names (SPN) registration, if you
There are many methods to generate certificates. The easiest, if you have a certification authority in your field, is to use the IIS 7 management console:
- Open Web Server (IIS) Management snap-in
- Select the server node in the navigation tree, then the server Certificates option
- Select Create certificate domain
- Enter your Federation Service Name common name: adfs .mydomain.com in my example.
- Select your Directory active Certification Authority
- Enter a friendly name for the certificate (any identifier will do).
If you have not used the IIS console to generate the cert, make sure that the certificate is related to the IIS service on the servers where you will install AD FS before continuing
Step 2 :. Creating a domain user account
ADFS servers require a domain user account to run its services. Create a domain user, no specific groups are needed
Step 3 :. First install AD FS server
- Download ADFS 2.0 and run the installer. Make sure you run the installer as a domain administrator -. It will create SPN and other containers in AD
- In Server Role select "Federation Server"
- Check the "Start AD FS 2.0 snap-in management closing the wizard" on end snap Wizard.In AD FS management
- Click Create new Federation Service
- Select new farm Federation
- Select the certificate that you created the previous step
- Select the domain user you created in the previous steps
step 4: Configure Relying Party
in this step, will tell you the kind of AD FS SAML tokens Sharefile.com accept. for example, suppose I have a ShareFile account named mydomain.sharefile.com . in AD FS component snap Management:
- Select Relying party Trusts in the navigation tree
- in Select the data source, use "Enter data about the user manually part"
- Enter an identifier of the display name. I used my domain Sharefile :. mydomain.sharefile.com
- Select AD FS 2.0 profile
- Do not select an encryption certificate
- Check the "Enable support for SAML 2.0 protocol WebSSO "
- Enter the address sharefile.com SAML authentication URL. In the example: https://mydomain.sharefile.com/saml/acs
- in Set Identifiers, enter the ID of confidence. Note the string you enter here: you must match the same string in step 5. I used mydomain.sharefile.com
- Select Allow all users to access the relying party
- Check Open the Edit Rules dialog sinister ... the (default)
claims Rules define the content of the SAML token AD FS generated and submitted to ShareFile. com. Sharefile.com requires ID Name electronically. Let's use Directory UserPrincipalName active as a source attribute, and convert the attribute name ID / Email. You can also use AD attribute Email if UPN does not match your business address Email
In the Edit Claims Rules :.
- Select Add Rule ...
- In the new wizard, select Send LDAP attributes as claims
- Enter the name of the claim rule. I used "AD SAML Email"
- Select "Active Directory" in store combobox attributes
- Select "E-Mail-Addresses" LDAP Attribute combo box
- Select "email Address" in outgoing claim combobox
- Select Add rule ... again
- Choose "Transform an incoming claim"
- claims name of the rule. I used "Send to NameID"
- Select "E-Mail" in the "Incoming claim type" combo box
- Select "Name ID" in the "type of outgoing claim "combobox
- Select" Email "from the" outgoing name ID "combobox Format
- OK all the dialogs to close the wizard
rating: . I 've edited the steps above to use the e-mail address instead of UPN - UPN only works if your AD DN corresponds to your email address. Many AD configurations use different values for Email and UPN UPN and therefore should not be used. The objective of the above rules is to get some AD property that matches the email address users; and output as a claim of NameID to sharefile.com. ADFS is very flexible, you have many options to do so if the above does not work. The only requirement regarding ShareFile must receive the employee e-mail address as NameID to demand.
You should see the new entry count of the party in the "Relying Party Trusts." The final step is to modify the SHA-1 signature format
- Right click your trusted party (for example, mydomain.sharefile.com ) and select Properties.
- in Advanced, select SHA-1
step 5: Set Trust at sharefile.com
the last configuration step is to tell sharefile.com to accept SAML tokens generated by your new AD FS services [
- Go to ADFS Management Console, and in the tree, select "Certificates".
- right click on the "Token-signing" certificate, and then click View certificate.
- Select the "Details" tab, then Copy to file ...
- in the certificate export Wizard, select base-64 encoded X.509 (. CER)
- Select a name, proceed to export.
- Open the file generated using Notepad. Select All and Copy to clipboard
- Go to the management console to Sharefile.com App Main ( http://mydomain.sharefile.com )
- Select Administrator
- Select Configure Singe sign-on
- Check Enable SAML
- Use the ID count of the party in "ShareFile Issuer / Entity ID" - must match with the username you chose in step 4. example: mydomain.sharefile.com
- Enter https://adfs.mydomain.com/ adfs / ls / as the login URL. The customers will be redirected Web address when accessing the SAML login page.
- Select "Edit" in the online certificate
- Paste the Base64 certificate in the field.
- If you want to enable Kerberos authentication to your AD FS server, change the selection in "Auth Context SP-initiated" to "minimum". It specify which type of authentication sharefile.com accept
- Select "Save" and "Save Settings"
Step 6: Test .. single server configuration
at this point, you should be able to test the configuration. You must create a DNS entry for the identity of the ADFS Service, pointing to the ADFS server that you just configured, or load balancer network if using.
To test Identity Provider Initiated Sign-on, point your browser to https://adfs.mydomain.com/adfs/ls/IdpInitiatedSignOn.aspx . You should see the ID count of the party in a combobox under "Connect to one of the following sites:" To test a Relying Party Initiated Sign-on, point your browser to https:. // Mydomain. . sharefile.com/saml/login you should be redirected to the ADFS server, landing in a login window or log silently Sharefile if integrated Windows Auth is used
There.! . many steps, but not difficult AD FS configuration guides have loads more info on production configurations - using proxies on the DMZ, and more AD FS servers for high availability not. difficult either, but depend on your network topology.
0 Komentar