Foldr as a Service Provider (SP) with Azure SSO

Introduction

Foldr can operate as a SAML single sign-on Identity Provider (IdP) or Service Provider (SP)

When Foldr is configured as a Service Provider, it allows users to sign into Foldr using a third-party authentication service.  In this scenario, a user is redirected to another IdP such as Active Directory Federation Services or Microsoft Azure SSO to sign in before being directed back to the Foldr app to access their files.

Security Considerations – Prompting for LDAP Passwords vs Using Service Accounts (SMB Share Access)

Active Directory and traditional on-premise Windows SMB file servers have no concept of SAML or SSO access tokens.  As such, when users are signing into the Foldr appliance without directly providing their password to the system, it is not possible for Foldr to provide the usual granular ACL / security permission access to the shares for that user.

The administrator has two different options to this issue:

1. Prompt users for their LDAP password (Recommended)

The first time a new user signs into Foldr using SSO, they will receive a prompt to provide their LDAP / Active Directory password.

The password is a required to access SMB shares as the user that is signed in and the Confirm Password prompt is a one-time operation, provided the user supplies the password.  If the user clicks ‘Not now’ or fails to provide the correct password, they will be prompted again the next time the user signs in.  Until the correct password is provided, SMB shares will be missing from the My Files interface.

Once the user has provided the correct on-premise AD password for SMB access, they will not be prompted again in future login sessions, until their domain password is changed outside of Foldr.  It is optional, but recommended to allow users to change their Active Directory passwords inside Foldr by enabling LDAPS and password change on the Foldr server.

Once the Foldr appliance has the users password, it is encrypted and stored within the configuration database and can then be used for future sessions.  A benefit of this approach is that service accounts are not required for access to SMB shares and Foldr can operate in the normal manner of respecting all existing security ACLs on the file servers providing access to the shares / data.  You can enable the prompt for network credentials feature when enabling the SSO service within Foldr Settings > Single Sign-On > Service Provider.

2.  Use fixed service accounts on each SMB share to present shares to users

Instead of prompting users for their LDAP / on-premise Active Directory password, the Foldr admin can use a suitable service account to present SMB shares to users.  Service Accounts are configured within Foldr Settings > Integrations > Service Accounts and should be configured using the domain UPN ([email protected]) as its username.  The service account must have permissions to access the file server shares being presented with appropriate permissions and these accounts are then applied to each SMB share in turn wihtin Foldr Settings > Shares & Storage > Edit-Share > Access tab, also ensuring that the ‘Use service account for all access‘ toggle is also enabled.

Permissions and Service Accounts

This approach, by default, (using service accounts and the ‘use service account for all access’ switch) will not allow Foldr to respect the users’ own security permissions/ACLs on the backend storage and instead users will receive permissions that apply to the service account user.    The administrator can still control read or write access to each share for the service account using the share permissions in Foldr Settings > Shares & Storage.

Granular user permissions/ACL support when using Service Accounts

The Foldr server is able to parse the backend file server permissions (Windows SMB file server shares only) with the optional toggle ‘Enable full ACL support (when using a service account for access)‘ within the Shares & Storage > Access tab.

Setup Process

1.  Ensure Foldr is publicly accessible and that a signed SSL certificate is installed on the appliance.

2.  Sign into the Azure portal using your administrative credentials and browse to Azure Active Directory >> Enterprise Applications >> + ADD

3.  Click Non-gallery Application

4.  Give the application a suitable name and click ADD.  It will take a few moments to process and add the application.

5.  The view will update with the app summary page.  Click Single sign-on

6.  Select SAML from the options available

7.  Click the Edit button in section 1 labelled ‘Basic SAML Configuration’

8.   Configure the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) fields as follows:

Identifier (Entity ID)https://address-of-foldr/sso/sp

Reply URL (Assertaion Consumer Service URL) = https://address-of-foldr/sso/sp/acs

Click Save and then click the X (top right) to close the dialog

9.  Scroll down to section 3 labelled ‘SAML Signing Certificate’ and click the download link to download the Azure SAML signing certificate in Base64 format.  Save the certificate to your desktop as it will be used later in the setup process.

10.  Log into Foldr Settings and browse to Single Sign-On > Service Provider

Enable the switch labelled Enable SSO with external Identity Provider?

11.  Decide on the following and enable the switches as appropriate:

– Whether new/unknown users to the Foldr appliance should be prompted (once) to provide their password to be stored in the appliance vault – or if service accounts are to be used to present SMB storage.

– Whether Foldr should automatically redirect LDAP users to Azure to authenticate. This is recommended unless local Foldr accounts are also being used without SSO.  There is also a granular option under the User Redirection drop-down menu if only specific users or groups should redirect to Azure to sign in.

In most scenarios (prompting users for password instead of using service accounts) the following options are enabled.



12.  Go back to the Azure portal and scroll down to section 4 labelled ‘Set up <app-name>’

Copy the following three fields and place them into the corresponding fields in Foldr Settings >> Single Sign-On >> Service Provider

Login URL >> Sign-In Url

Azure AD Identifier >> Issuer

Logout URL >> Sign-Out Url

13.  Using a text editor, open the Azure SAML signing certificate that was downloaded at step 9 and paste into the ‘Validation certificate’ field in Foldr Settings >> Single Sign-On >> Service Provider

14.  Scroll down the page and click Regenerate

Click Yes, Proceed on the prompt to populate the Certificate and Key fields

Click SAVE at the top of the page.

15.  Go back to the Azure administration portal and select Users & Groups inside the Enterprise app

16.  Browse and select the users that you wish to use the SSO integration.  Finally click SELECT to confirm.

The SSO integration is now complete.  A user browsing to the Foldr URL should be automatically redirected to Microsoft’s sign-in page after providing their username. After signing into Microsoft Online / Office 365 the user should be automatically redirected to Foldr and presented with their storage locations in the interface.  If the user is new / unknown to the Foldr server, they will be prompted to provide their Active Directory password – if that option has been enabled and SMB shares are being presented.

Note – Unlike AD FS based SSO, there is currently no support for SAML sign-out, so users will need to ensure they sign out from Microsoft Office 365 first and then Foldr, to be fully signed out of the Foldr app.

App Compatibility

Signing into Microsoft Online / Azure using SSO is supported in all Foldr apps – web, mobile and desktop providing the ‘Use web sign-in‘ feature is enabled for each app type on the server within Foldr Settings >> Devices & Clients.  Note that web sign-in is ON by default for all app types.

Need more help?

Get in touch and we'll be happy to assist you, [email protected]

© Minnow IT. Registered in England and Wales with company number 07970411.

Made with in Bristol, UK

<