Single Sign On – Foldr as a Service Provider (SP) with AD FS
As of v188.8.131.52, Foldr can operate as a SAML single sign-on Identity Provider (IdP) or Service Provider (SP).
When acting as the SP, Foldr provides the ability for users to log in automatically to the Foldr web app without being prompted for their network credentials. In this scenario, the user is signed into another compatible IdP service such as Active Directory Federation Services.
Security Considerations – Service Accounts and Users’ Passwords
Active Directory and traditional Windows file services have no concept of SAML or SSO access tokens. As such, when users are signing into the Foldr appliance without directly providing their password to the system, it is not possible for Foldr to provide the usual granular ACL / security permission access to the shares for that user. The administrator has two different options to this problem:
1. Use pre-defined service accounts in the Foldr Settings backend and connect to each configured share with a master service account, ensuring they select ‘Use service account for all access’ on the share configuration screen. This approach does not allow Foldr to respect a users’ actual security permissions and will respect the permissions that apply to the service account user. The administrator can still control read or write access to each share for the service account using the share permissions in Foldr Settings >> Shares.
2. (Recommended) – Prompt users for their password the first time they access the system by SSO. Once the Foldr appliance has the users password, it is encrypted and stored within the configuration database and can then be used for future sessions. A benefit of this approach is that service accounts are not required for access to SMB shares and Foldr can operate in the normal manner of respecting all existing security ACLs on the file servers providing access to the shares / data. You can enable the prompt for network credentials feature when enabling the SSO service within Foldr Settings >> Single Sign-On >> Service Provider.
The Foldr appliance must have a signed SSL certificate installed before attempting to integrate Foldr as a service provider with AD FS. If the appliance is using the default self-signed certificate, the integration will fail. Should you need to obtain a signed SSL certificate for your Foldr appliance, consider using the free Let’s Encrypt SSL option available under Foldr Settings >> Certificates. More information is available here
1. Export the Token-Signing Certificate
The public certificate used for token-signing in AD FS needs to be installed on the Foldr appliance. To extract a copy of the certificate, open the AD FS management console and navigate to Service >> Certificates.
Right click on the Token-signing certificate >> View Certificate
Click Next >> Details tab >> Copy to File and proceed through the export wizard.
Select Base-64 encoded X.509 (.CER) and click Next
Select an export destination and file name >> click Save to save the certificate
2. Enable SSO on the Foldr appliance and import the token-signing certificate
Enable Foldr as a Service Provider within Foldr Settings >> SSO > Service Provider (Example settings for AD FS are shown below)
Issuer = http://your-adfs-server/adfs/services/trust
Sign-In URL = https://your-adfs-server/adfs/ls
The token-signing certificate used by AD FS that was extracted above must be opened in a text editor and entered here.
Foldr Settings SSO Service Provider Configuration Screen
3. Add the Relying Party Trust to AD FS
Within the AD FS management console, go to Trust Relationships >> Relying Party Trusts >> Right click >> Add Relying Party Trust
Select ‘Import data about the relying party published online or on a local network’ and enter the Federation metadata address as below and click Next – (replace address-of-foldr with the URL to your installation)
Note – A signed SSL certificate must be installed on the Foldr appliance otherwise this step will fail.
Enter a Display name and click Next
Configure Multi-Factor Authentication options if used, otherwise leave as ‘I do not want to configure..’ and click Next
Configure Issuance Authorization Rules as required. Generally, this would be left as ‘Permit all users to access this relying party’ >> Click Next
You can confirm the configuration that has been obtained from the metadata URL by using the tabs in the Ready to Add Trust dialog. When you are ready to proceed, click Next
Leave ‘Open the Edit Claim Rules..’ checkbox ticked and click Close.
4. Configure the Claim Rules for Foldr
Click ‘Add Rule‘ on the Issuance Transform Rules tab
Select ‘Send LDAP Attributes as Claims‘ from the template drop-down menu
- Enter a suitable Claim rule name
- Select ‘Active Directory‘ from the Attribute store
Finally, map the LDAP Attribute ‘User-Principle-Name‘ to Outgoing Claim Type of ‘Name ID‘ >> Click Finish
Single sign-on configuration should now be complete. If a user visits the Foldr appliance URL and they are not signed into AD FS they will be redirected to the AD FS sign in page. In the event that the user is already signed into AD FS, they should automatically log into Foldr and be presented with their shares.
If the administrator has enabled ‘Prompt users for network credentials‘ in the Foldr Single Sign-On >> Service Provider configuration screen, the user will see the following prompt the first time that they sign in automatically by SSO.
Update Password dialog
Pop-up dialog to allow user to provide Foldr with their AD password
Should the user cancel the dialog and not provide the password, they will be prompted to provide it the next time they sign in. The user is able to change or update their Active Directory password at any time using the Security Settings menu in the Foldr web app.