Integrating Multiple IDPs
In some cases you may want to use different IDPs for your users, for example, if your users sign in to FileCloud from different platforms.
Beginning with FileCloud version 20.1, you can configure up to six different IDPs (the default and five additional ones) for single sign-on (SSO). The configuration assigns an email domain to each IDP, and chooses which IDP to apply depending on the domain of the sign-in email address.
To configure multiple IDPs
- Set up SSO, and configure your default IDP according to the instructions in SAML Single Sign-On Support. The Idp Configured on this UI is the default Identity Provider.
- Rename the file idpconfig-sample.php to idpconfig.php in:
- Open idpconfig.php.
- Use the help comments in idpconfig.php to set the configuration parameter values for each IDP. If something is not applicable leave it empty.
You can configure up to 5 IDPs in idpconfig.php. Attach the suffix _1, _2 , _3, _4, or _5 to the parameters for each one so that the system knows which IDP they refer to.
Please Note that any email domains not added as part of TONIDOCLOUD_SAML_EMAIL_DOMAINS_1,TONIDOCLOUD_SAML_EMAIL_DOMAINS_2, TONIDOCLOUD_SAML_EMAIL_DOMAINS_3, TONIDOCLOUD_SAML_EMAIL_DOMAINS_4, TONIDOCLOUD_SAML_EMAIL_DOMAINS_5 will automatically be considered to be part of the default Identity Provider configured through the admin UI - Settings - SSO
Open cloudconfig.php at
Add the following, and include up to five domains: These domains are the domains for the email address.
The domains are associated with the values for TONIDOCLOUD_SAML_EMAIL_PARAM_1, TONIDOCLOUD_SAML_EMAIL_PARAM_2, TONIDOCLOUD_SAML_EMAIL_PARAM_3, and so on in idpconfig.php.
- Users must sign in with their email addresses so FileCloud can determine which IDP they are using.
For IDP initiated single sign-on, the IDP url, which is the entityID, must be passed as a query string parameter to the relay state URL.
To configure custom error messages for each IDP
With this functionality, you have the ability to configure custom SAML/SSO invalid sign-in messages for each IDP.
- Open idpconfig.php.in
Add the following:
define("TONIDOCLOUD_SAML_ERROR_MSG_n", "<error message>"); where n is the number of the IDP configured in idpconfig that the error message applies to. For example: define("TONIDOCLOUD_SAML_ERROR_MSG_4", "<!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>FileCloud SSO Authorization Page</title> </head> <link rel="stylesheet" href="bootstrap.min.css"> <body> <div class="container"> <h2 align="center"> <img src="../core/getcustomimage?type=login"></img></h2> <h2 align="center"><u>Single Sign-on Login</u></h2> <br/><br/> <p align="center">Failed to login automatically via SAML Single Sign-on (SSO). <br/>Please return to the main login page and login normally. </p> <div align ="center"> <p><b>^MESSAGE^</b></p> <br/> <A HREF="/" class="btn btn-primary btn-sm" role="button">Back to Login</A> </div> </div> <br/> </body> </html>");
The value you enter for <error message> appears when your screen displays the SSO Error Message in the SAML Settings for the corresponding IDP.
For more information, see 3. Configure Idp settings in FileCloud on the help page SAML Single Sign-On Support.
To allow duplicate user names for different domains
FileCloud will not create users with the same usernames from the SSO sign-in screen. However, in multiple IDP scenario, there may be a situation where email prefix might be the same for 2 users even though their email address is different. In this case, FileCloud will convert the email prefix to username, which will fail. You must use the following setting to overcome this problem.
- Open cloudconfig.php at.Integrating Multiple IDPs v2V
Add the following and save:
If you create a a user with the user name jocelynp and email email@example.com, FileCloud creates a user with the user name jocelynp.
Next, if you attempt to create a user with the user name jocelynp and email firstname.lastname@example.org, FileCloud creates a user with the user name email@example.com.
To configure custom settings for automatic account creation for each IDP
Beginning in FileCloud version 20.1, you have the ability to configure custom automatic account creation settings for each IDP.
- Open idpconfig.php.in
Add code such as the following, which enables new account to be created during login and automatically approved with Full User permissions. The code below configures settings for domain 1 because parameters are suffixed with _1. See To configure multiple IDPs, above for information about adding suffixes to IDP parameters.
/* Allow new account to be created during the login process, when authenticated through this IDP allowed values FALSE or TRUE */ define("TONIDOCLOUD_SAML_ACCOUNT_CREATION_MODE_1","TRUE"); /* Set Status of new accounts created automatically when authenticated through this IDP 0 - No Automatic approval, Admin has to approve account 1 - Automatically approve new accounts to Full User 2 - Automatically approve new accounts to Guest User 3 - Automatically approve new accounts to External User */ define("TONIDOCLOUD_SAML_AUTOMATIC_ACCOUNT_APPROVAL_1","1");
Note: Configure the settings for the main IDP in the Admin user interface in Settings > SSO. See 3. Configure Idp settings in FileCloud on the help page SAML Single Sign-On Support. for instructions.