Single Sign-On in Azure Cloud
Since v3.1.0 LiquidFiles appliance has had new SingleSignOn settings and since that version LF can be configured to work also with SSO IdP in Azure Cloud. Mainly it has been added the "Auth comparison" switch which allows to adjust LF appliance to the only allowed Authn comparison attribute "Exact" in the Azure Cloud. Before you start with following configuration make sure you have your LF updated on v3.1.0 or higher, ideally the latest version.
- Azure Management console
- Web application for LiquidFiles in your Azure cloud
- LiquidFiles on version 3.1.0 or higher
Settings in Azure
- Name: Some name
- Sign-on URL: https://lf.domain.com/saml/init
- App ID URI: https://lf.domain.com
- Reply URL: https://lf.domain.com/saml/consume
Settings in LiquidFiles
On the LF server server click on "Single Sign-On (SSO)" in the "Admin > Configuration" drop down menu, and set following settings:
- Single Sign On Method: SAML 2
- IdP Login URL: here paste the Azure's login URL. It's an Azure's unique login URL for your application. This URL you can list if you click on the Azure's Application details, then click on the Configure tab on the top bar and finally click View endpoints icon on the bottom. Copy the URL in SAML-P Sign-On Endpoint box and paste it to the IdP Login URL box in LF appliance. It will looks like this: https://login.microsoftonline.com/yourdomainid/saml2
- IdP Logout URL: Optionally you can fill in logout URL similar way like IdP Login URL
- IdP Cert Fingerprint: To this box copy the Fingerprint of your Azure X.509 certificate. You can paste Fingerprint which is using SHA-256 algorithm (preferred), or alternatively Fingerprint which is using SHA-1 algorithm.
Note: Here is described one approach how to obtain the FingerPrint from your Azure cloud. Click again on the View endpoints icon and open URL Federation Metadata Document in your browser (https://login.microsoftonline.com/yourdomainid/federationmetadata/2007-06/federationmetadata.xml).
Copy the X.509 certificate between <X509Certificate> and </X509Certificate> tags. In the XML document you can find it inside of the <Signature> and </Signature> tags.
In order to get the SHA-256 or SHA-1 fingerprint of the certificate, you can click f.e. on the following saml tools page https://www.samltool.com/fingerprint.php and generate the Fingerprint. Finally copy the "Formatted FingerPrint" (delimited by colon) and paste it to IdP Cert FingerPrint box in LF.
- Name Identifier: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress (default settings)
- Authn Context: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport (default settings)
- Signature Algorithm: SHA-256 (preferred) or SHA-1
- Auth Comparsion: set to Exact (important)