Foldr can operate as a SAML single sign-on Identity Provider (IdP) or Service Provider (SP).
When Foldr is configured as a Service Provider for SSO, a user is redirected to another service (IdP) such as Active Directory Federation Services, Microsoft Office 365/Azure or Google to sign in before being directed back to the Foldr app and signed in automatically.
Security Considerations
Service Accounts and User Passwords for SMB share access
Active Directory and traditional Windows file services have no concept of SAML or SSO access tokens. As such, when users are signing into the Foldr appliance without directly providing their domain password to the system, it is not possible for Foldr to provide SMB share access with the usual granular ACL / security permission that are applicable for that user. The administrator has two different solutions to this problem:
1. Use service accounts in the Foldr Settings > Files & Storage > Access tab back-end and connect to each configured share with a master service account, ensuring they select ‘Use service account for all access‘ on the share configuration screen. By default, this approach does not allow Foldr to respect a users ‘own’ security permissions and will instead obtain the permissions that apply to the service account user. There is an option to allow Foldr to parse and apply a user permissions / ACLs, by enabling the ‘Enable full ACL support‘ toggle in the Access tab.
The administrator can still control read or write access to each share for the service account using the share permissions in Foldr Settings >> Files & Storage.
2. (Recommended) Prompt users for their password the first time they access Foldr using SSO. Once the Foldr appliance has the users password, it is encrypted and stored within the configuration database and can then be used for future sessions. A benefit of this approach is that service accounts are not required for access to SMB shares and allow Foldr can operate in the normal manner of respecting all existing security ACLs on the file servers providing access to the shares / data.
To enable this option, the administrator must enable the Prompt LDAP users for network credentials toggle when enabling the SSO service within Foldr Settings > Single Sign-On > Service Provider and also ensure Cache encrypted passwords for LDAP users within Foldr Settings > Security > Passwords > LDAP is enabled.
Setup Process
1. Ensure Foldr is publicly accessible and that a signed SSL certificate is installed on the appliance.
2. Sign into the Google Workspace admin portal at https://admin.google.com using an administrative account and select Apps > Web and mobile apps
3. Click Add App > Add a custom SAML app
4. Give the app a suitable name and optionally a description and click Continue
5. Make a note of the SSO URL and Entity ID as these will be required later in the setup process.
6. Click the DOWNLOAD button to download the Google signing certificate. Save this to the local desktop, it will be required later in the setup process.
7. In the Service provider details screen, provide the ACS URL and Entity ID for your Foldr server.
ACS URL = https://address-of-foldr-fqdn appending /sso/sp/acs
Entity ID = https://address-of-foldr-fqdn appending /sso/sp
8. Click Continue
9. The attribute mapping screen can be left as default. Click Finish
Click SAVE
10. Now, browse to the Foldr Settings web admin UI and sign in with the fadmin account. Navigate to Single Sign-On >> Service Provider
11. Enable the SSO integration, by enabling the toggle ‘Use external Identity Provider’
Decide on the following for your environment:
– Whether new/unknown users to the Foldr appliance should be prompted (once) to provide their password to be stored in the appliance vault – or if service accounts are to be used to present SMB storage. It is recommended to prompt LDAP users for network credentials.
– The type of user redirection.
By default Foldr will redirect all LDAP (Active Directory) users to the IdP (Google in this case) after they’ve entered their username. The administrator can optionally select to only redirect specific users/groups to Google to sign in or Foldr can automatically redirect all users to the IdP (Google) and not show the Foldr web sign-in screen.
12. Copy the Google SSO URL and Entity ID given in the Google admin console earlier and paste them into the corresponding fields in Foldr Settings >> Single Sign-On >> Service Provider
Google SSO URL > Sign-In Url
Entity ID > Issuer
It is also recommended that the Via URL field is populated with:
https://accounts.google.com/AccountChooser?continue=
13. Using a text editor, open the Google signing certificate that was downloaded at step 6 and paste into the ‘Validation certificate’ field in Foldr Settings >> Single Sign-On >> Service Provider
14. Scroll down the page and click Regenerate Certificates to populate the Foldr Signing Certificate (.crt) and Signing Key fields
Click SAVE CHANGES at the top of the page.
15. The SAML app in Google is now configured but it needs to be enabled. Navigate back to the Google Admin panel (https://admin.google.com) > Apps > Web and mobile apps and select the app created earlier.
The app configuration screen will be displayed. Click User access
11. Enable the service, and select ON for everyone and click Save
The SSO integration is now complete. A user browsing to the Foldr URL will be redirected to Google’s sign-in page either automatically or after entering their username, depending on the user redirection level configured on the Foldr server. After signing into Google the user is redirected back to Foldr, signed and presented their configured storage locations in the web browser UI or app.
Note – Unlike AD FS based SSO, there is currently no support for SAML sign-out with Google SSO, so users will need to ensure they sign out from Google first and then Foldr, to be fully signed out of the Foldr app.
App Compatibility
Google SSO is supported in all Foldr apps – web, mobile and desktop providing the web sign-in feature is enabled on the server within Foldr Settings >> Devices & Clients for the respective app. Note that web sign-in is ON by default for all app types
Foldr Windows app showing Google SSO sign-in:
