Integrate Azure AD with FileCloud
Note: Azure AD can only be integrated if FileCloud has an SSL certificate in place, as Microsoft requires HTTPS URLs when configuring FileCloud in Azure.
FileCloud can be integrated with Azure AD.
- The Azure AD must be configured as an Identity Provider (IdP)
- FileCloud will act as the Service Provider (SP)
To integrate Azure AD with FileCloud:
- Login to Azure AD Portal ( https://portal.azure.com ).
- On the left navigation pane, click Active Directory.
- From the Directory list, select the directory for which you want to enable directory integration.
- Select Enterprise applications on the left navigation menu.
- Click New application.
- In the Add an application page, click Application you're developing.
- Enter FileCloud, select the listing for FileCloud, and click Add in the right panel.
- In the next screen, click Single sign-on in the left navigation panel.
- Enter the Sign on URL, Identifier (Entity ID), and Reply URL.
Sign on URL is your FileCloud site URL, for example, https://yourdomain.com
Identifier (Entity ID) is the FileCloud SSO endpoint, for example, https://yourdomain.com/simplesaml/module.php/saml/sp/metadata.php/default-sp - Check Show advanced URL settings.
- In Reply URL, and replace yourfileclouddomain.com with your FileCloud domain in the format: https://yourfileclouddomain.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp
- Click Save in the top left of the screen.
- From the bottom of the screen, click Metadata XML .
The metadata file is downloaded. - Click Users and groups in the left navigation panel, add the users, and make sure permissions are assigned.
Log in to your FileCloud Admin UI, and go to Settings > SSO, and enter the following details:
Settings Value Default SSO Type SAML Idp End Point URL From the Metadata XML downloaded, copy the entity ID on the first line of the XML document. Idp Username Parameter Based on the IDP configurations these values may vary. Use the appropriate one of the following:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
or
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameIdp Email Parameter Based on the IDP configurations these values may vary. Use the appropriate one of the following:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
or
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameIdp Given Name Parameter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Idp Surname Parameter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Idp Metadata Copy the complete contents of the Metadata XML downloaded. To get our Idp End Point URL, open your downloaded xml data and copy the Entity ID as shown in the screen shot below.
Save the above settings.
This completes the Azure AD SSO integration with FileCloud.
Troubleshooting failed SSO login for a member of an AD limit group
For SAML SSO with an AD limit group, FileCloud checks the login user's FileCloud Group name to see if they are a member of the limit group. Azure AD can only send the Group ID, not the group name, to FileCloud, so login fails for a member of the limit group. To fix this, add a custom claim parameter named memberof in Azure AD that sends the group's Object ID (Group ID) in FileCloud SSO settings to limit the login to this specific group.
To get the group's Object ID, in Azure AD:
- Log in the the Azure Portal Dashboard, and click Azure Active Directory.
- Click Groups, and then click the Group to limit the login to.
- Open the Overview screen for the group and copy the Object ID field:
- Then, in Azure AD, go to the Enterprise Applications screen, and choose the FileCloud application
- In the navigation panel, click Single sign-on.
- Scroll down to Attributes and Claims, and click Edit.
- Click Add a group claim.
A Group Claims form opens in the right panel. - In Source attribute, choose Group ID.
- Check Customize the name of the group claim.
- In Name, enter memberof, and in Value, enter user.groups (which is equal to Object Id).
Now memberof will be sent to FileCloud with the value of the user group, and when FileCloud compares it with the Idp Group, the values match, so FileCloud will allow the login. - For ADFS, add an additional claim parameter (Token-Groups - Unqualified Names > memberof) during ADFS configuration.