Single Sign-On using SAML
SAML Single Sing-On Configuration
To configure SAML Single Sign-On, you will need to get some details from your Identity Provider - IdP.
A couple of things to notice:
- In the IdP configuration, your LiquidFiles SAML Login URL is: https://your_base_url/saml/init
- In the IdP configuration, your LiquidFiles SAML Consumer URL is: https://your_base_url/saml/consume
- If your IdP wants a metadata URL, you can set that to: https://your_base_url/saml/metadata.xml
- The SAML NameID needs to be set to Email. The LiquidFiles system requires the email to be unique.
- If you set User.FirstName and User.LastName attributes, they will be used to set the users name automatically. This is not required.
- The IdP Login URL is where the browser is redirected when the user clicks on the SSO Login button.
- If the IdP Logout URL is configured, this is where the user will be redirected when the user clicks on the Logout button.
- Authentication of the Identity Provider (IdP) happens with the Certificate Fingerprint from the IdP's certificate.
- The Name Identifier Format and Authn Contexts does not normally need to be changed.
Setting LiquidFiles group when authenticating with SSO
In Admin → Groups, you can set the default group for users authenticating with SSO. This defaults to the Local Users group.
When a user is logging in for the first time with SSO, i.e. if they don't have a LiquidFiles user account, the system will also be lookup the user via LDAP. If the user is found in LDAP, they will be assigned to the group as per the LDAP group matching, or be assigned to the default LDAP group.
In this example, we're using the Onelogin.com test login.
In the Onelogin configuration, search for test and select the "OneLogin SAML Test (IdP w/attr)"
When you've added the test system, add the following configuration:
https://lfapp.dev is the base URL for your LiquidFiles system in the screenshot above.
On the Single Sign-on, tab, please configure as following:
The important setting is SAML NameID which needs to set to "Email".
The other attributes will enable First and Last Name to be added when users are created from logins.
On your LiquidFiles system please configure Admin → Single Sign-On as folllows:
- Idp Login URL: https://app.onelogin.com/saml/signon/59153
- Idp Logout URL: https://app.onelogin.com/client/apps
- Idp Cert Fingerprint: BB:B4:C7:85:55:ED:7B:2B:19:83:EF:F0:32:4A:B6:CC:54:3A:FA:3F
- Name Identifier Format: default
- Authn Context: default
This will enable login either from the OneLogin portal or from the LiquidFiles front page using the SSO Login button:
Microsoft ADFS configuration
A common SAML identity provider in enterprises is Microsoft ADFS. In order to make ADFS work with LiquidFiles, please continue reading this articles: