https://man.liquidfiles.com
LiquidFiles Documentation

Since v3.1.0 LiquidFiles appliance has had new SingleSignOn settings and since that version LF can be configured to work also with SSO IdP in Azure Cloud. Mainly it has been added the "Auth comparison" switch which allows to adjust LF appliance to the only allowed Authn comparison attribute "Exact" in the Azure Cloud. Before you start with following configuration make sure you have your LF updated on v3.1.0 or higher, ideally the latest version.


Prerequisites:

  • Azure Management console
  • Web application for LiquidFiles in your Azure cloud
  • LiquidFiles on version 3.1.0 or higher

Settings in Azure

At first open the Web application you have created for your LF server (Service Provider) in your Azure cloud. Log in on your Azure Management page https://manage.windowsazure.com. On the left navigation pane, please click on the AD Active Directory icon, then click on your directory title, then click on the Application button on the top menu. A list with your applications will be showed, click on the application you have prepared for your LF server, finally click on the Configure tab from the top menu. Under that Configure tab check you have following settings:

  • Name: Some name
  • Sign-on URL: https://lf.domain.com/saml/init
  • App ID URI: https://lf.domain.com
  • Reply URL: https://lf.domain.com/saml/consume

Settings in LiquidFiles

On the LF server server click on "Single Sign-On (SSO)" in the "Admin > Configuration" drop down menu, and set following settings:

  • Single Sign On Method: SAML 2
  • IdP Login URL: here paste the Azure's login URL. It's an Azure's unique login URL for your application. This URL you can list if you click on the Azure's Application details, then click on the Configure tab on the top bar and finally click View endpoints icon Endpoints on the bottom. Copy the URL in SAML-P Sign-On Endpoint box and paste it to the IdP Login URL box in LF appliance. It will looks like this: https://login.microsoftonline.com/yourdomainid/saml2
  • IdP Logout URL: Optionally you can fill in logout URL similar way like IdP Login URL
  • IdP Cert Fingerprint: To this box copy the Fingerprint of your Azure X.509 certificate. You can paste Fingerprint which is using SHA-256 algorithm (preferred), or alternatively Fingerprint which is using SHA-1 algorithm.

    Note: Here is described one approach how to obtain the FingerPrint from your Azure cloud. Click again on the View endpoints icon and open URL Federation Metadata Document in your browser (https://login.microsoftonline.com/yourdomainid/federationmetadata/2007-06/federationmetadata.xml).
    Copy the X.509 certificate between <X509Certificate> and </X509Certificate> tags. In the XML document you can find it inside of the <Signature> and </Signature> tags.
    In order to get the SHA-256 or SHA-1 fingerprint of the certificate, you can click f.e. on the following saml tools page https://www.samltool.com/fingerprint.php and generate the Fingerprint.
    Finally copy the "Formatted FingerPrint" (delimited by colon) and paste it to IdP Cert FingerPrint box in LF.
  • Name Identifier: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress (default settings)
  • Authn Context: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport (default settings)
  • Signature Algorithm: SHA-256 (preferred) or SHA-1
  • Auth Comparsion: set to Exact (important)