Single Sign On – Foldr as a Service Provider (SP) with Cloudwork IdP / Studentnet
Foldr can operate as a SAML single sign-on Identity Provider (IdP) or Service Provider (SP).
When acting as a Service Provider, Foldr allows users to log in automatically to the Foldr web app without being prompted for their network credentials. In this scenario, a user is redirected to another IdP such as Active Directory Federation Services, Microsoft Office 365/Azure, Google or Cloudwork to sign in before being directed back to the Foldr app ready to access their files.
Service Accounts and User Passwords
Active Directory and traditional Windows file services have no concept of SAML or SSO access tokens. As such, when users are signing into the Foldr appliance without directly providing their password to the system, it is not possible for Foldr to provide the usual granular ACL / security permission access to the shares for that user. The administrator has two different options to this problem:
1. Use pre-defined service accounts in the Foldr Settings back-end and connect to each configured share with a master service account, ensuring they select ‘Use service account for all access’ on the share configuration screen. This approach does not allow Foldr to respect a users’ actual security permissions and will respect the permissions that apply to the service account user. The administrator can still control read or write access to each share for the service account using the share permissions in Foldr Settings >> Shares.
2. (Recommended) Prompt users for their password the first time they access the system by SSO. Once the Foldr appliance has the users password, it is encrypted and stored within the configuration database and can then be used for future sessions. A benefit of this approach is that service accounts are not required for access to SMB shares and Foldr can operate in the normal manner of respecting all existing security ACLs on the file servers providing access to the shares / data. You can enable the prompt for network credentials feature when enabling the SSO service within Foldr Settings >> Single Sign-On >> Service Provider.
1. Ensure Foldr is publicly accessible and that a signed SSL certificate is installed on the appliance.
2. Sign into the Cloudwork Admin portal at https://<tenant>.cloudworkengine.net using your administrative credentials and click on Single Sign On
3. Click Add New Service
4. On the New Service Metadata screen, give the service a suitable name and populate the Entity ID and Assertion Consumer Service fields as follows:
Entity ID = https://<address-of-foldr>/sso/sp
Assertion Consumer Service = https://<address-of-foldr>/sso/sp/acs
5. Scroll down and configure the NameID as Email. The NameID format can be left as default
Note – This will assume that the users email address in Cloudwork matches the users UPN in ActiveDirectory
Click SUBMIT at the bottom of the screen.
6. The metadata summary screen will be shown. Make a note of the Entity ID and Sign on Endpoint URLs as these will be used later in the setup process.
7. Download the certificate from the metadata summary screen and save it to the local desktop
8. Log into Foldr Settings and browse to Single Sign-On >> Service Provider
Enable the switch labelled Enable SSO with external Identity Provider?
Decide on the following and enable the switches as appropriate:
– Whether new/unknown users to the Foldr appliance should be prompted (once) to provide their password to be stored in the appliance vault – or if service accounts are to be used to present SMB storage.
– Whether Foldr should automatically redirect users to Microsoft to authenticate. This is recommended unless local Foldr accounts are also being used without SSO.
In most scenarios both of these options are enabled.
9. Copy the Entity ID and Sign on Endpoint URLs given earlier and paste them into the corresponding fields in Foldr Settings >> Single Sign-On >> Service Provider
Entity ID >> Issuer
Sign on Endpoint >> Sign-In Url
10. Using a text editor, open the certificate that was downloaded at step 5 and paste into the ‘Validation certificate’ field in Foldr Settings >> Single Sign-On >> Service Provider
11. Scroll down the page and click Regenerate Certificates to populate the Foldr Signing Certificate (.crt) and Signing Key fields
Click SAVE at the top of the page.
12. From the Foldr Settings >> Single Sign-On >> Service Provider screen, highlight and copy the Signing Certificate (.crt) – Jump back to the Cloudwork Single Sign On portal, click the service that has been created for Foldr and EDIT the SAML Config using the button highlighted below:
13. Scroll down and enable the checkbox labelled ‘Validate Requests‘
14. Scroll down to the certificates section and paste the signing certificate into the box labelled ‘Content‘. Enable the checkbox labelled ‘Used for Signing’
15. Click Submit at the bottom of the screen to save changes to the SAML config.
The SSO integration is now complete. A user browsing to the Foldr URL should be automatically redirected to Cloudwork’s sign-in page. After signing into Cloudwork they should be automatically redirected to Foldr and presented with their storage locations in the interface. If the user is new / unknown to the Foldr server, they will be prompted to provide their Active Directory password – if that option has been enabled and SMB shares are being presented.
Note – Unlike AD FS based SSO, there is currently no support for SAML sign-out, so users will need to ensure they sign out from Cloudwork first and then Foldr, to be fully signed out of the Foldr app.
At the time of this article being published both the Foldr web and macOS drive mapping apps support web sign-in, and therefore support for Cloudwork SSO. The Foldr for Windows drive mapping app is scheduled to support this feature in April 2019 and the mobile apps will follow later in Q2/Q3 2019.