Single Sign On – Foldr as a Service Provider (SP) with AD FS

Posted on 4th January 2017

Foldr can operate as a SAML single sign-on Identity Provider (IdP) or Service Provider (SP).

When acting as the SP, Foldr provides the ability for users to log in automatically to the Foldr web app without being prompted for their network credentials.  In this scenario, the user is signed into another compatible IdP service such as Active Directory Federation Services.

Security Considerations – Service Accounts and Users’ Passwords

Active Directory and traditional Windows file services have no concept of SAML or SSO access tokens.  As such, when users are signing into the Foldr appliance without directly providing their password to the system, it is not possible for Foldr to provide the usual granular ACL / security permission access to the shares for that user.  The administrator has two different options to this problem:

1. Use pre-defined service accounts in the Foldr Settings backend and connect to each configured share with a master service account, ensuring they select ‘Use service account for all access’ on the share configuration screen.  This approach does not allow Foldr to respect a users’ actual security permissions and will respect the permissions that apply to the service account user.  The administrator can still control read or write access to each share for the service account using the share permissions in Foldr Settings >> Shares.

2. (Recommended) – Prompt users for their password the first time they access the system by SSO.  Once the Foldr appliance has the users password, it is encrypted and stored within the configuration database and can then be used for future sessions.  A benefit of this approach is that service accounts are not required for access to SMB shares and Foldr can operate in the normal manner of respecting all existing security ACLs on the file servers providing access to the shares / data.  You can enable the prompt for network credentials feature when enabling the SSO service within Foldr Settings >> Single Sign-On >> Service Provider.

prompt

Configuration

The Foldr appliance must have a signed SSL certificate installed before attempting to integrate Foldr as a service provider with AD FS.  If the appliance is using the default self-signed certificate, the integration will fail.  Should you need to obtain a signed SSL certificate for your Foldr appliance, consider using the free Let’s Encrypt SSL option available under Foldr Settings >> Certificates.  More information is available here

1.  Export the Token-Signing Certificate

The public certificate used for token-signing in AD FS needs to be installed on the Foldr appliance.  To extract a copy of the certificate, open the AD FS management console and navigate to Service >> Certificates.

Right click on the Token-signing certificate >> View Certificate


adfs-token-signing

Click Next >> Details tab >> Copy to File and proceed through the export wizard.

adfs-cert-export

Select Base-64 encoded X.509 (.CER) and click Next

adfs-cert-export3

Select an export destination and file name >> click Save to save the certificate

2.  Enable SSO on the Foldr appliance and import the token-signing certificate

Enable Foldr as a Service Provider within Foldr Settings >> SSO > Service Provider (Example settings for AD FS are shown below)

Issuer = http://your-adfs-server/adfs/services/trust

Sign-In URL = https://your-adfs-server/adfs/ls

Validation Certificate

The token-signing certificate used by AD FS that was extracted above must be opened in a text editor and entered within the Basic section here.

Foldr Settings SSO Service Provider Configuration Screen

sso-sp-general

3. Add the Relying Party Trust to AD FS

Within the AD FS management console, go to Trust Relationships >> Relying Party Trusts >> Right click >> Add Relying Party Trust

adfs-relying-party-trust1

Select ‘Import data about the relying party published online or on a local network’ and enter the Federation metadata address as below and click Next – (replace address-of-foldr with the URL to your installation)

https://address-of-foldr/sso/sp/metadata

Note – A signed SSL certificate must be installed on the Foldr appliance otherwise this step will fail.

adfs-relying-party-trust2

Enter a Display name and click Next

adfs-relying-party-trust11

Configure Multi-Factor Authentication options if used, otherwise leave as ‘I do not want to configure..’ and click Next

adfs-relying-party-trust4

Configure Issuance Authorization Rules as required.  Generally, this would be left as ‘Permit all users to access this relying party’ >> Click Next

adfs-relying-party-trust5

You can confirm the configuration that has been obtained from the metadata URL by using the tabs in the Ready to Add Trust dialog.  When you are ready to proceed, click Next

adfs-relying-party-trust6

Leave ‘Open the Edit Claim Rules..’ checkbox ticked and click Close.

adfs-relying-party-trust7

4.  Configure the Claim Rules for Foldr

Click ‘Add Rule‘ on the Issuance Transform Rules tab

adfs-relying-party-trust8

Select ‘Send LDAP Attributes as Claims‘ from the template drop-down menu

adfs-relying-party-trust9

  • Enter a suitable Claim rule name
  • Select ‘Active Directory‘ from the Attribute store

Finally, map the LDAP Attribute ‘User-Principle-Name‘  to Outgoing Claim Type of ‘Name ID‘ >> Click Finish

adfs-relying-party-trust10

Single sign-on configuration should now be complete.  If a user visits the Foldr appliance URL and they are not signed into AD FS they will be redirected to the AD FS sign in page.  In the event that the user is already signed into AD FS, they should automatically log into Foldr and be presented with their shares.

If the administrator has enabled ‘Prompt users for network credentials‘ in the Foldr Single Sign-On >> Service Provider configuration screen, the user will see the following prompt the first time that they sign in automatically by SSO.

Update Password dialog

sso-update-password

Pop-up dialog to allow user to provide Foldr with their AD password

sso-update-password2

Should the user cancel the dialog and not provide the password, they will be prompted to provide it the next time they sign in.  The user is able to change or update their Active Directory password at any time using the Security Settings menu in the Foldr web app.

Single Sign-Out

It is possible to configure AD FS and Foldr so that if a user signs out of Foldr web app, they can also be signed out of AD FS.  Without taking these additional steps, if a user signs out of Foldr, they will automatically sign back into the web app as they are still signed into the IdP (AD FS).

AD FS requires a SAML sign out request to be signed, so the first step involves generating a signing certificate in Foldr Settings >> Single Sign On >> Service Provider.  Navigate to the ‘Signing‘ section and click Re-Generate Certificates.

Click Yes, Regenerate

The signing certificate is generated and the certificate fields will be populated

Click Save Changes at this point.

You are now required to install your newly generated signing certificate into AD FS.

Highlight the certificate string within the ‘Signing Certificate (.crt)’ box and copy this into a text editor such as Notepad.

Save the file in .cer format, and save it somewhere accessible to the AD FS server.

Back on the Windows Server, inside AD FS Management, navigate to the Relaying Party Trust for Foldr and into the Signature tab.  Click Add  (note the default AD FS signing certificate will already be shown here)

Browse to the .cer file saved above and click Open

The Signature tab will show the newly installed signing certificate that will be used to verify the sign out request.  Click Apply or OK

You should verify within the Advanced tab that the hashing algorithm being used matches what is being shown in Foldr Settings when we clicked regenerate certificate.  In this case we are using SHA-256 rather  than SHA-1.

You are now required to configure the SAML logout endpoint in AD FS.  Navigate to the ‘Endpoints‘ tab and click ‘Add SAML

Select SAML Logout as the Endpoint type

Select POST as the Binding

Enter the URL of the AD FS server appending /adfs/ls/?wa=wsignout1.0

Click OK

The SSO sign out configuration is now complete.  Users should be able to sign out of the web app, where they will be redirected back to AD FS and are shown that they are completely signed out of the IdP.

Need more help?

Get in touch with our friendly help desk who will be happy to assist you, support@foldr.io