https://man.liquidfiles.com
LiquidFiles Documentation

Liquidfiles SSO can be configured to work with Active Directory and AD FS server. LiquidFiles will work as a Service Provider (SP) and AD FS server will represent Identity Provider (IdP). In this how-to AD FS will be served by W2012 R2 server standard edition.

Prerequisites:

  • W2012 R2 standard
  • Active directory domain service
  • DNS
  • Certificate (or self signed certificate, which is used in this demo)
  • AD FS - Active Directory Federation Service implemented in the W2012 server
  • Optionally IIS* (I used IIS manager > your server > Server certificates tool to generate self signed certificate for this how-to. When you have a signed certificate by some CA you don’t need  IIS and its tools)
  • Check your time and timeservers on your LF appliance and Windows server

NOTE to AD FS versions

Windows W2008 server supports AD FS 2.0. W2012 server supports AD FS 2.1. W2012R2 supports AD FS 3.0. The implemented SAML version remains same on v2.0 for this mentioned windows servers.  

From LiquidFiles perspective the configuration of SSO works same for all AD FS ver>=2.0 and principle of configurations SAML2.0/SSO are quite similar on this Windows server releases.

*) In W2012R2 you do not need IIS with AD FS 3.0 everything is now stored in the file http.sys which is based on the configuration/technology from TMG

1 W2012 R2 server preparation for SSO

At this point I expect you have set up Active directory domain, DNS and optionally IIS* services are running. A certificate (or self signed certificate) should be installed as well.

1.1 Installation of AD FS instance

At first install AD FS instance on your server. Click Server Manager > Dashboard > Add roles and features Follow pictures from Pic. 1 to Pic. 9

 

images/security/sso_saml20_w2012/w2012-adfs1.png

                                                                      Pic.1 - AD FS role configuration wizard

 

images/security/sso_saml20_w2012/w2012-adfs2.png

                                                                       Pic.2 – AD FS role configuration wizard

 

 

images/security/sso_saml20_w2012/w2012-adfs3.png

                                                                            Pic.3 - AD FS role configuration wizard

 

 

images/security/sso_saml20_w2012/w2012-adfs4.png

                                                                       Pic. 4 – AD FS role configuration wizard

 

 

images/security/sso_saml20_w2012/w2012-adfs4b.png

                                                                   Pic. 5 – AD FS role configuration wizard

 

 

images/security/sso_saml20_w2012/w2012-adfs4c.png

                                                                       Pic. 6 – AD FS role configuration wizard

 

 

images/security/sso_saml20_w2012/w2012-adfs4d.png

                                                                         Pic. 7 - AD FS role configuration wizard

 

 

images/security/sso_saml20_w2012/w2012-adfs4e.png

                                                                         Pic. 8 – AD FS role configuration wizard

 

 

 

images/security/sso_saml20_w2012/w2012-adfs4f.png

                                                         Pic. 9 – AD FS role configuration wizard, installation done

1.2 Configuration of AD FS

In this part we provide a configuration of AD FS/SSO service as an IdP for SP which is a Liquidfiles appliance. Open Server Management and click AD FS > More > Configure the federation service as showed on Pic. 10.

 

images/security/sso_saml20_w2012/w2012-adfs5.png

                                                                Pic. 10 – Configuration of AD FS service for SSO

 

 

images/security/sso_saml20_w2012/w2012-adfs6.png

                                                             Pic. 11 – Configuration of AD FS service for SSO

 

 

images/security/sso_saml20_w2012/w2012-adfs7.png

                                                             Pic 12 - Configuration of AD FS service for SSO

 

images/security/sso_saml20_w2012/w2012-adfs8.png

                           Pic. 13 – Configuration of AD FS service for SSO. Choice the certificate from the list or import

 

 

images/security/sso_saml20_w2012/w2012-adfs9.png

                                Pic. 14 - Configuration of AD FS service for SSO. Choice service account and set password

 

images/security/sso_saml20_w2012/w2012-adfs10.png

                                 Pic. 15 - Configuration of AD FS service for SSO. Choice service account and set password

 

images/security/sso_saml20_w2012/w2012-adfs11.png

                                     Pic. 16 - Configuration of AD FS service for SSO. Specify Configuration Database

 

 

images/security/sso_saml20_w2012/w2012-adfs12.png

                                                          Pic. 17 - Configuration of AD FS service for SSO

 

 

images/security/sso_saml20_w2012/w2012-adfs13.png

                                                            Pic. 18 - Configuration of AD FS service for SSO

 

 

images/security/sso_saml20_w2012/w2012-adfs14.png

                               Pic. 19 - Configuration of AD FS service for SSO. Done. Now continue with a Relay Party trust

 

1.3 Adding a Relay Party Trust

At this point you should be ready to set up the AD FS connection with your Liquidfiles appliance. The connection between ADFS and Liquidfiles is defined using a Relying Party Trust (RPT).

Select the Relying Party Trusts folder from AD FS Management and add a new Standard Relying Party Trust from the Actions sidebar. This starts the configuration wizard for a new trust. See Pic. 20

 

images/security/sso_saml20_w2012/w2012-adfs15.png

                                                                             Pic. 20 - Adding a Relay Party Trust

 

images/security/sso_saml20_w2012/w2012-adfs16.png

                                                                    Pic. 21 - Adding a Relay Party Trust wizard

 

 

images/security/sso_saml20_w2012/w2012-adfs17.png

                                                          Pic. 22 - Adding a Relay Party Trust. Enter data manually

 

 

images/security/sso_saml20_w2012/w2012-adfs18.png

                                                                   Pic. 23 - Adding a Relay Party Trust. Display name

 

 

images/security/sso_saml20_w2012/w2012-adfs19.png

                                    Pic. 24 - Adding a Relay Party Trust. Choice AD FS profile with SAML 2.0 protocol

 

 

images/security/sso_saml20_w2012/w2012-adfs20.png

                                                                           Pic. 25 - Adding a Relay Party Trust

 

 

images/security/sso_saml20_w2012/w2012-adfs21.png

                  Pic. 26 – Put your LiquidFiles SAML Consumer URL. F.e. https://lf.yourdomain.net/saml/consume/

 

 

images/security/sso_saml20_w2012/w2012-adfs22-updated-https-identifiers.png

                          Pic. 27 - Adding a Relay Party Trust identifiers: https://lf.yourdomain.net, lf.yourdomain.net

 

 

images/security/sso_saml20_w2012/w2012-adfs23.png

                                                                        Pic. 28 - Adding a Relay Party Trust

 

 

images/security/sso_saml20_w2012/w2012-adfs24.png

                                                                            Pic. 29 - Adding a Relay Party Trust

 

 

images/security/sso_saml20_w2012/w2012-adfs25.png

                                                                             Pic. 30 - Adding a Relay Party Trust

 

 

 

images/security/sso_saml20_w2012/w2012-adfs26.png

                                              Pic. 31 - Adding a Relay Party Trust. Tick Open the edit claim rules

 

 

1.4 Creating claim rules

After adding the relying party trust, the wizard will ask you to configure the claim rules. You can also reconfigure later by doing right click on the relying party section and selecting the menu Edit Claim Rules. Click Add Rules and select Send LDAP Attribute as Claims and select Active Directory as Attribute store. Configure E-Mail-Addresses to map to Outgoing claim type E-Mail Address. (follow Pictures Pic. 32 – 33)

 

images/security/sso_saml20_w2012/w2012-adfs27.png

                                                                                     Pic. 32 – Claim Rules

 

 

images/security/sso_saml20_w2012/w2012-adfs28.png

                                                                                    Pic. 33a – Claim Rules

Optionally you can pass Given-Name and Surname from AD to LiquidFiles appliance. When users are logged in first time their accounts are created with this credentials as well. LiquidFiles is expecting Given-Name and Surname parameters in the mappings as User.FirstName and User.LastName.

images/security/sso_saml20_w2012/w2012-adfs33b.png

                                Pic. 33b Optional Claim Rules - Givenname, Surname

 

Next select Transform an Incoming Claim as the claim rule template to use. Give it a name such as NameID. Incoming claim type should be E-mail Address (it must match the Outgoing Claim Type in rule #1. The Outgoing claim type is Name ID (this is requested in ServiceNow policy urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) and the Outgoing name ID format is Email. Pass through all claim values and click Finish. (See Pic. 34 - 36)

 

images/security/sso_saml20_w2012/w2012-adfs29.png

                                                                                        Pic. 34 – Claim Rules

 

 

images/security/sso_saml20_w2012/w2012-adfs30.png

                                                                                      Pic. 35  – Claim Rules

 

 

images/security/sso_saml20_w2012/w2012-adfs31.png

                                                                                      Pic. 36 – Claim Rules

 

1.5 Adjusting the trust settings

You still need to adjust a few settings on your relying party trust. To access these settings, select Properties from the Actions sidebar while you have the RPT selected. In the Advanced tab, switch from SHA256 to SHA1.

 

images/security/sso_saml20_w2012/w2012-adfs32.png

                                                                                Pic. 37 – Adjusting the trust settings

 

 

 

1.6 Active Directory test user

 

Create a user in Active Directory.  In this example its testsso. Open Administrative tools > Active Directory User and Computers > Users > New > User (Pic. 38 – 40)

 

images/security/sso_saml20_w2012/w2012-domain24-add-user.png

                                                                             Pic. 38 – Adding Active directory user

 

 

                                                  

images/security/sso_saml20_w2012/w2012-domain25-add-user.png

                            Pic. 39 – Adding Active directory user

 

images/security/sso_saml20_w2012/w2012-domain26-add-user.png

                 Pic. 40 – Adding Active directory user - password

 

images/security/sso_saml20_w2012/w2012-domain28-add-user.png

                        Pic. 41 – User’s properties fill in E-mail

 

 

1.6 Optional settings

 

1.6.1 Authentication policies  

In case you need to use AD FS/SSO for testing or another reason in intranet you must enable Forms Authentication.  By default, form authentication is disabled in the intranet zone. You must enable forms authentication by following these steps:

Open the ADFS management wizard. Click Authentication Policies > Primary Authentication > Global Settings > Authentication Methods > Edit.

 

images/security/sso_saml20_w2012/w2012-adfs34-set-form-authentification-enabled.png

                                                                         Pic. 42 – Authentication Policies for intranet

 

 

images/security/sso_saml20_w2012/w2012-adfs35-set-form-authentification-enabled.png

                                                                         Pic. 43 – Authentication Policies for intranet

 

 

2.  LiquidFiles appliance SSO settings

This part is about configuring SSO service on Liquidfiles appliance.  Essentially we will need to find out SSO login URL and fingerprint.  

 

2.1 SSO Login URL

At first verify where your IdP’s Single Sign On login URL is. Download and open a metadata file from https://server.mydomain.local/FederationMetadata/2007-06/FederationMetadata.xml and check for SingleSignOn Location. In this example the URL is https://server.mydomain.local/adfs/ls/   (important: when copy the link take care you grab it with the slash in the end)

 

images/security/sso_saml20_w2012/sso-login-url.png

                                                                                    Pic. 44 - SSO login URL

 

2.2 Finger Print

Next we need to find out Fingerprint (thumbprint) of the signing certificate we are using on AD FS server. Open AD FS > Certificates. Right click on Token-signing certificate, open Details tab and look for Thumbprint. Copy/paste it to a notepad and replace spaces with colons. In this example rewritten fingerprint looks like this:

5c:c2:1c:67:94:0d:98:c8:04:4e:97:d4:49:9f:bb:b9:ed:ce:6d:3a

 

images/security/sso_saml20_w2012/w2012-adfs33.png

                                                                Pic 45. – Copy the signing certificate’s fingerprint

 

2.3 Setting up Liquidfiles

Now we open Liquidfiles appliance Configuration > Single Sign On form SSO and paste the  Finerprint and SSO login url the collected information. See picture Pic. 46

  • Choice Single Sign On Method: SAML2
  • IdP Login URL: https://server.mydomain.local/adfs/ls/
  • IdP Cert Fingerprint f.e.: 5c:c2:1c:67:94:0d:98:c8:04:4e:97:d4:49:9f:bb:b9:ed:ce:6d:3a
  • Optionally you can set IdP Logout URL.  An URL which you will be redirected when logged out from LF

 

images/security/sso_saml20_w2012/sso-settings.PNG

                                                                              Pic. 46 - LiquidFiles SSO config

3.  Testing SSO login

Connect to LF appliance and click SSO button.  You will be redirected to IdP login site for log in where fill in the ActiveDirectory user. In this example its testsso user.  When successfully verified you are logged to LF. Job done.

 

images/security/sso_saml20_w2012/sso-login-example1.PNG

                                                                           Pic.  47 – SSO testing   

 

 

 

images/security/sso_saml20_w2012/sso-login-example2.PNG

                                                                        Pic. 48 – Redirect to IdP for authentication

 

 

images/security/sso_saml20_w2012/sso-login-example3.PNG

                                                                         Pic.  49 – Logged in through SSO