Single Sign On – Foldr as a Service Provider (SP) with Azure SSO
Foldr can operate as a SAML single sign-on Identity Provider (IdP) or Service Provider (SP).
When acting as a Service Provider, Foldr allows users to log in automatically to the Foldr web app without being prompted for their network credentials. In this scenario, a user is redirected to another IdP such as Active Directory Federation Services or Microsoft Azure SSO to sign in before being directed back to the Foldr app to access their files.
Service Accounts and User Passwords
Active Directory and traditional Windows file services have no concept of SAML or SSO access tokens. As such, when users are signing into the Foldr appliance without directly providing their password to the system, it is not possible for Foldr to provide the usual granular ACL / security permission access to the shares for that user. The administrator has two different options to this problem:
1. Use pre-defined service accounts in the Foldr Settings back-end and connect to each configured share with a master service account, ensuring they select ‘Use service account for all access’ on the share configuration screen. This approach does not allow Foldr to respect a users’ actual security permissions and will respect the permissions that apply to the service account user. The administrator can still control read or write access to each share for the service account using the share permissions in Foldr Settings >> Shares.
2. Recommended) Prompt users for their password the first time they access the system by SSO. Once the Foldr appliance has the users password, it is encrypted and stored within the configuration database and can then be used for future sessions. A benefit of this approach is that service accounts are not required for access to SMB shares and Foldr can operate in the normal manner of respecting all existing security ACLs on the file servers providing access to the shares / data. You can enable the prompt for network credentials feature when enabling the SSO service within Foldr Settings >> Single Sign-On >> Service Provider.
1. Ensure Foldr is publicly accessible and that a signed SSL certificate is installed on the appliance.
2. Sign into the Azure portal using your administrative credentials and browse to Azure Active Directory >> Enterprise Applications >> + ADD
3. Click Non-gallery Application
4. Give the application a suitable name and click ADD. It will take a few moments to process and add the application.
5. The view will update with the app summary page. Click Single sign-on
6. Select SAML from the options available
7. Click the Edit button in section 1 labelled ‘Basic SAML Configuration’
8. Configure the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) fields as follows:
Identifier (Entity ID) = https://address-of-foldr/sso/sp
Reply URL (Assertaion Consumer Service URL) = https://address-of-foldr/sso/sp/acs
Click Save and then click the X (top right) to close the dialog
9. Scroll down to section 3 labelled ‘SAML Signing Certificate’ and click the download link to download the Azure SAML signing certificate in Base64 format. Save the certificate to your desktop as it will be used later in the setup process.
10. Log into Foldr Settings and browse to Single Sign-On >> Service Provider
Enable the switch labelled Enable SSO with external Identity Provider?
11. Decide on the following and enable the switches as appropriate:
– Whether new/unknown users to the Foldr appliance should be prompted (once) to provide their password to be stored in the appliance vault – or if service accounts are to be used to present SMB storage.
– Whether Foldr should automatically redirect users to Cloudwork to authenticate. This is recommended unless local Foldr accounts are also being used without SSO.
In most scenarios both of these options are enabled.
12. Go back to Azure and scroll down to section 4 labelled ‘Set up <app-name>’
Copy the following three fields and place them into the corresponding fields in Foldr Settings >> Single Sign-On >> Service Provider
Login URL >> Sign-In Url
Azure AD Identifier >> Issuer
Logout URL >> Sign-Out Url
13. Using a text editor, open the Azure SAML signing certificate that was downloaded at step 9 and paste into the ‘Validation certificate’ field in Foldr Settings >> Single Sign-On >> Service Provider
14. Scroll down the page and click Regenerate Certificates to populate the Foldr Signing Certificate (.crt) and Signing Key fields
Click SAVE at the top of the page.
15. Go back to the Azure administration portal and select Users & Groups inside the Enterprise app
16. Browse and select the users that you wish to use the SSO integration. Finally click SELECT to confirm.
The SSO integration is now complete. A user browsing to the Foldr URL should be automatically redirected to Microsoft’s sign-in page. After signing into Microsoft / Office 365 they should be automatically redirected to Foldr and presented with their storage locations in the interface. If the user is new / unknown to the Foldr server, they will be prompted to provide their Active Directory password – if that option has been enabled and SMB shares are being presented.
Note – Unlike AD FS based SSO, there is currently no support for SAML sign-out, so users will need to ensure they sign out from Microsoft Office 365 first and then Foldr, to be fully signed out of the Foldr app.
At the time of this article being published both the Foldr web, Windows and macOS drive mapping apps support web sign-in, and therefore support for Azure SSO. The mobile apps will follow later in Q2/Q3 2019.
Web sign-in can be enabled and disabled as required on a per app basis (when the clients receive support for it) on the Foldr server at Foldr Settings >> Device & Cilents