Single Sign On – Foldr as a Service Provider (SP) with Google IdP
Foldr can operate as a SAML single sign-on Identity Provider (IdP) or Service Provider (SP).
When acting as a Service Provider, Foldr allows users to log in automatically to the Foldr web app without being prompted for their network credentials. In this scenario, a user is redirected to another IdP such as Active Directory Federation Services, Microsoft Office 365/Azure or Google to sign in before being directed back to the Foldr app ready to access their files.
Service Accounts and User Passwords
Active Directory and traditional Windows file services have no concept of SAML or SSO access tokens. As such, when users are signing into the Foldr appliance without directly providing their password to the system, it is not possible for Foldr to provide the usual granular ACL / security permission access to the shares for that user. The administrator has two different options to this problem:
1. Use pre-defined service accounts in the Foldr Settings back-end and connect to each configured share with a master service account, ensuring they select ‘Use service account for all access’ on the share configuration screen. This approach does not allow Foldr to respect a users’ actual security permissions and will respect the permissions that apply to the service account user. The administrator can still control read or write access to each share for the service account using the share permissions in Foldr Settings >> Shares.
2. (Recommended) Prompt users for their password the first time they access the system by SSO. Once the Foldr appliance has the users password, it is encrypted and stored within the configuration database and can then be used for future sessions. A benefit of this approach is that service accounts are not required for access to SMB shares and Foldr can operate in the normal manner of respecting all existing security ACLs on the file servers providing access to the shares / data. You can enable the prompt for network credentials feature when enabling the SSO service within Foldr Settings >> Single Sign-On >> Service Provider.
1. Ensure Foldr is publicly accessible and that a signed SSL certificate is installed on the appliance.
2. Sign into the Google Admin portal at https://admin.google.com using your administrative credentials and click on Apps
3. Click SAML
4. Click the yellow + button
5. Click ‘SETUP MY OWN CUSTOM APP‘ at the bottom of the dialog
6. Make a note of the SSO URL and Entity ID as these will be required later in the setup process.
7. Click the DOWNLOAD button to download the Google signing certificate. Save this to the local desktop, it will be required later in the setup process.
8. Give the application a suitable name. Optionally provide a description and upload a logo. Click NEXT.
9. On the service provider details screen, configure the ACS URL and Entity ID as follows
ACS URL = https://address-of-foldr/sso/sp/acs
Entity ID = https://address-of-foldr/sso/sp
Check the ‘Signed Response’ box and leave all other settings as default.
10. Log into Foldr Settings and browse to Single Sign-On >> Service Provider
Enable the switch labelled Enable SSO with external Identity Provider?
11. Decide on the following and enable the switches as appropriate:
– Whether new/unknown users to the Foldr appliance should be prompted (once) to provide their password to be stored in the appliance vault – or if service accounts are to be used to present SMB storage.
– Whether Foldr should automatically redirect users to Microsoft to authenticate. This is recommended unless local Foldr accounts are also being used without SSO.
In most scenarios both of these options are enabled.
12. Copy the Google SSO URL and Entity ID given earlier and paste them into the corresponding fields in Foldr Settings >> Single Sign-On >> Service Provider
Google SSO URL >> Sign-In Url
Entity ID >> Issuer
13. Using a text editor, open the Google signing certificate that was downloaded at step 7 and paste into the ‘Validation certificate’ field in Foldr Settings >> Single Sign-On >> Service Provider
14. Scroll down the page and click Regenerate Certificates to populate the Foldr Signing Certificate (.crt) and Signing Key fields
Click SAVE at the top of the page.
15. The SAML app in Google is now configured but it needs to be enabled. Go back to the Google Admin control panel >> Apps >> SAML and click the in-line button on the Foldr SSO app
16. Click ON for everyone
17. Click TURN ON FOR EVERYONE
The SSO integration is now complete. A user browsing to the Foldr URL should be automatically redirected to Google’s sign-in page. After signing into Google they should be automatically redirected to Foldr and presented with their storage locations in the interface. If the user is new / unknown to the Foldr server, they will be prompted to provide their Active Directory password – if that option has been enabled and SMB shares are being presented.
Note – Unlike AD FS based SSO, there is currently no support for SAML sign-out, so users will need to ensure they sign out from Google first and then Foldr, to be fully signed out of the Foldr app.
At the time of this article being published both the Foldr web and macOS drive mapping apps support web sign-in, and therefore support for Google SSO. The Foldr for Windows drive mapping app is scheduled to support this feature in April 2019 and the mobile apps will follow later in Q2/Q3 2019.
Web sign-in can be enabled and disabled as required on a per app basis (when the clients receive support for it) on the Foldr server at Foldr Settings >> Device & Cilents