content collaboration: single sign-on configuration guide ... · prerequisites • domain joined...
TRANSCRIPT
Last Revised: May 2019
Content Collaboration: Single Sign-On Configuration Guide ADFS 4.0
LEGAL NOTICE This document is furnished "AS IS" without warranty of any kind. This document is not supported under any Citrix standard support program. Citrix Systems, Inc. disclaims all warranties regarding the contents of this document, including, but not limited to, implied warranties of merchantability and fitness for any particular purpose. This document may contain technical or other inaccuracies or typographical errors. Citrix Systems, Inc. reserves the right to revise the information in this document at any time without notice. This document and the software described in this document constitute confidential information of Citrix Systems, Inc. and its licensors, and are furnished under a license from Citrix Systems, Inc. This document and the software may be used and copied only as agreed upon by the Beta or Technical Preview Agreement. Copyright © 2019 Citrix Systems, Inc. All rights reserved. Citrix, Citrix Content Collaboration, and ShareFile are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their respective companies.
Content Collaboration SSO Guide with ADFS 4.0 3
Contents Prerequisites ..................................................................................................................................................................... 4
Add AD FS Role: ................................................................................................................................................................. 5
Configure AD FS ................................................................................................................................................................. 8
Enable IDP Initiated Sign-on (Optional) .......................................................................................................................... 13
Export token-signing certificate ...................................................................................................................................... 14
Configure ShareFile account ........................................................................................................................................... 19
Build service provider trust ............................................................................................................................................. 22
Test your configuration ................................................................................................................................................... 30
Content Collaboration SSO Guide with ADFS 4.0 4 Prerequisites
• Domain joined Windows Server 2016 host • Publicly accessible FQDN associated with public IP (Example: <adfs>.yourdomain.com) • Valid SSL certificate associated with site FQDN (Wildcards are supported) • Port 443 open inbound and outbound on public IP associated with AD FS FQDN
Content Collaboration SSO Guide with ADFS 4.0 5
Add AD FS Role: -Launch Server Manager -Click ‘Manage’ at top right -Click ‘Add Roles and Features’
-Select ‘Active Directory Federation Services’ -Click ‘Next’
-Click ‘Next’
Content Collaboration SSO Guide with ADFS 4.0 6
-Click ‘Next’
-Select ‘Restart the destination server automatically if required’ -Click ‘Install’, respond ‘Yes’ to restart prompt
Content Collaboration SSO Guide with ADFS 4.0 7
-You should see this screen upon successful install of the role. Click ‘Close’
Content Collaboration SSO Guide with ADFS 4.0 8
Configure AD FS -Open ‘Server Manager’ -Click the flag icon with yellow caution symbol
-Click ‘Configure the federation service on this server.’
-Select ‘Create the first federation server in a federation server farm’ radio button. -Click ‘Next’
Content Collaboration SSO Guide with ADFS 4.0 9
-Define a domain admin account to configure AD FS. -Click ‘Next’
-Select the public SSL certificate (This should be imported on the host before AD FS configuration). -Type in a Federation Service Name. This should match the FQDN you created for AD FS. Example: adfs2016.yourdomain.com
Content Collaboration SSO Guide with ADFS 4.0 10
-Type in a Service Display Name. This is the text that shows on a forms based login page. -Click ‘Next’
-Specify the service account AD FS should use. -Click ‘Next’
Content Collaboration SSO Guide with ADFS 4.0 11
- Select the database type, since this is my test lab and a small environment I went with a WID database. Here is some information on using WID or SQL, http://technet.microsoft.com/en-us/library/ee913581.aspx -Click ‘Next’
-Review the changes before they are made. -Click ‘Next’
Content Collaboration SSO Guide with ADFS 4.0 12 -Click ‘Configure’ if all prerequisite checks completed successfully.
-Upon successful configuration of AD FS, you should see this screen. -Click ‘Close’
Content Collaboration SSO Guide with ADFS 4.0 13 Enable IDP Initiated Sign-on (Optional) The IDP initiated sign on page is a great way to test your configuration, and confirm that AD FS will accept your domain credentials, before establishing service provider trusts. By default, this page is disabled on Server 2016 environments. You will need to use Powershell to enable IDP initiated sign-on.
-Launch Powershell ‘as administrator’ -Run the command “set-adfsproperties –EnableIDPInitiatedSignonPage $True” without quotations. -You should now be able to browse to https://<adfs.domain.com>/adfs/ls/idpinitiatedsignon.aspx and sign in.
Content Collaboration SSO Guide with ADFS 4.0 14
Export token-signing certificate
-Launch ‘AD FS Management’ console from ‘Server Manager’
-Expand ‘Service’ -Select ‘Certificates’ -Right click the ‘Primary’ Token-signing certificate. Select ‘View Certificate…’
Content Collaboration SSO Guide with ADFS 4.0 15
-Select the ‘Details’ tab -Click ‘Copy to File…’
-Click ‘Next’
Content Collaboration SSO Guide with ADFS 4.0 16
-Select ‘Base-64 encoded X.509 (.CER)’ radio button. -Click ‘Next’ -Click ‘Browse’
-Choose a location to export your token signing certificate. -Name your soon to be exported token signing certificate. -Click ‘Save’
Content Collaboration SSO Guide with ADFS 4.0 17
-Click ‘Next’
-Click ‘Finish’
Content Collaboration SSO Guide with ADFS 4.0 18
-Right click on exported token signing certificate -Click ‘Open with…’ -Choose ‘Notepad’
-Copy the contents of your token-signing certificate
Content Collaboration SSO Guide with ADFS 4.0 19 Configure ShareFile account
-Log in to your ShareFile account using your web browser -Click ‘Settings’ on the left side panel -Click ‘Admin Settings’
-Expand ‘Security’ -Click ‘Login & Security Policy’. Scroll to bottom of page.
Content Collaboration SSO Guide with ADFS 4.0 20
Content Collaboration SSO Guide with ADFS 4.0 21
-ShareFile Issuer / Entity ID: https://<subdomain>.sharefile.com/saml/info -Your IDP Issuer / Entity ID: https://<adfs>.yourdomain.com -X.509 Certificate: Paste contents of exported certificate from previous section -Login URL: https://<adfs>.yourdomain.com/adfs/ls -Enable Web Authentication: Yes (Check marked) -SP-Initiated Auth Context: User Name and Password – Minimum
-Save your changes.
Content Collaboration SSO Guide with ADFS 4.0 22 Build service provider trust
-Launch ‘AD FS Management’ from ‘Server Manager’
-Select ‘Relying Party Trusts’ -Click ‘Add Relying Party Trust’
Content Collaboration SSO Guide with ADFS 4.0 23
-Select ‘Claims aware’ radio button -Click ‘Start’
Content Collaboration SSO Guide with ADFS 4.0 24
-Type in your ShareFile account’s metadata URL. Example: https://<subdomain>.sharefile.com/saml/metadata
-You can also browse to this URL in your browser, copy the contents, and save as a .xml file if you would rather import the SAML metadata via a file. Additionally, you can type in this information manually by selecting the 3rd radio button.
-Click ‘Next’
-Click ‘Next >’
Content Collaboration SSO Guide with ADFS 4.0 25
-Click ‘Next’
-Click ‘Close’
Content Collaboration SSO Guide with ADFS 4.0 26
-Click ‘Add Rule…’
-Select ‘Send LDAP Attributes as Claims’ from drop down menu. -Click ‘Next’
Content Collaboration SSO Guide with ADFS 4.0 27
-Name your rule. I used “Email to Email”.
-Select ‘Active Directory’ from ‘Attribute store’ drop down menu -Select ‘E-Mail Addresses’ under the first ‘LDAP Attribute’ drop down menu -Select ‘E-Mail Address’ from first ‘Outgoing Claim Type’ drop down menu -Click ‘Finish’
Content Collaboration SSO Guide with ADFS 4.0 28
-Click ‘Add Rule…’
Content Collaboration SSO Guide with ADFS 4.0 29
-Select ‘Transform an Incoming Claim’ -Click ‘Next’
-Name your rule. I used “Email NameID Email” -Select ‘E-Mail Address’ for ‘Incoming claim type:’
Content Collaboration SSO Guide with ADFS 4.0 30
-Select ‘Name ID’ for ‘Outgoing claim type:’ -Select ‘Email’ for ‘Outgoing name ID format:’
-Click ‘Apply’ -Click ‘OK’
Test your configuration Browse to your ShareFile account’s SAML login URL, https://<subdomain>.sharefile.com/saml/login. You should be redirected to your AD FS host and challenged for credentials. Sign in using credentials associated with the domain your AD FS host is providing federation services for. The email address of your AD user must match the email address of a user in ShareFile. If the credentials you provide to AD FS are correct, and your email address matches a ShareFile user, you will be signed in to the ShareFile account associated with your email.