w w w. e g n y t e. c o m Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS) To set up ADFS so that your employees can access Egnyte using their ADFS credentials, follow the steps below. 1. Adding Egnyte as a Relying Party Trust within ADFS 2. Configuring ADFS within Egnyte We support ADFS integration for customers running Windows Server 2008, 2008 R2, and Windows Server 2012. If you are running 2008 R2, please note that you will need to install Windows Server 2008 Rollup Patch 2 before attempting the steps below. This rollup patch requires a reboot. Adding Egnyte as a Relying Party Trust within ADFS 1. From the right-hand Actions pane of the ADFS 2.0 Management screen, select the Add Relying Party Trust option. 2. Select Start. www.egnyte.com 2015 by Egnyte Inc. All rights reserved. Revised September, 2015
3. Once in the Select Data Source screen, select the option labeled Enter data about the relying party manually and click Next. www.egnyte.com 2015 by Egnyte Inc. All rights reserved. 2
4. At the Specify Display Name screen, give the Relying Party Trust a descriptive and unique name (we suggest Egnyte SSO ), and click Next. 4. At the Choose Profile screen, select the AD FS 2.0 profile option to enable SAML 2.0 authentication and click Next. 5. Just click Next when you get to the Configure Certificate screen, there s nothing you need to do here. 6. At the Configure URL screen, check the box labeled Enable support for the SAML 2.0 WebSSO protocol, and enter your SAML 2.0 SSO service URL. www.egnyte.com 2015 by Egnyte Inc. All rights reserved. 3
This URL is unique to your company, and is expressed in all lower case letters: https://<your-custom-subdomain>.egnyte.com/samlconsumer/adfs For example, if your Egnyte account domain was acme, the URL would be: https:// acme.egnyte.com/samlconsumer/adfs Once this is entered, click Next. 5. At the Configure Identifiers screen, add a Relying party trust identifier. Type in: https://saml-auth.egnyte.com www.egnyte.com 2015 by Egnyte Inc. All rights reserved. 4
Once you ve typed in this identifier, click the Add button. The identifier will appear in the list of Relying party trust identifiers below. Click Next to move on. 6. At the Choose Issuance Authorization Rules screen, you may choose to have ADFS allow all domain users access by default, or none. This decision is up to you, but we recommend that you leave Permit all users to access this relying party selected initially while you continue the setup process. www.egnyte.com 2015 by Egnyte Inc. All rights reserved. 5
When you have made your selection, click Next. 7. At the Ready to Add Trust screen, you have the opportunity to review the selections you ve made in the previous screens. If you are satisfied, click Next. www.egnyte.com 2015 by Egnyte Inc. All rights reserved. 6
8. At the Finish screen, check the box next to the option to Open the Edit Claim Rules dialog for this relying party trust when the wizard closes ; click Close. www.egnyte.com 2015 by Egnyte Inc. All rights reserved. 7
9. In the Edit Claim Rules dialog, click the button labeled Add Rule. www.egnyte.com 2015 by Egnyte Inc. All rights reserved. 8
10. At the Choose Rule Type screen, you ll be prompted to select a Claim rule template. Preserve the default value ( Send LDAP Attributes as Claims ), and click Next. www.egnyte.com 2015 by Egnyte Inc. All rights reserved. 9
11. At the Configure Claim Rule screen, you ll be prompted for a rule name, an attribute store, and a set of LDAP attributes. www.egnyte.com 2015 by Egnyte Inc. All rights reserved. 10
An appropriate claim rule name would be something like Send Email Address or Send User Name. For an Attribute store, select Active Directory (assuming that Active Directory is what you re using for authentication). www.egnyte.com 2015 by Egnyte Inc. All rights reserved. 11
Below this option you will see a table with two columns, one labeled LDAP Attribute and the other Outgoing Claim Type. Do this if you selected Send Username in the Claim Rule Name box: In the first row, select an LDAP attribute of Sam-Account-Name, and an outgoing claim type of Name ID. When this is done, click Finish. Do this if you selected Send Email Address in the Claim Rule Name box: In the first row, select an LDAP attribute of Email Address, and an outgoing claim type of Name ID. When this is done, click Finish. 12. At this point, all of the claim rules needed are in place; click OK to exit the claim rules dialog and return to the ADFS Management console. Configuring ADFS within Egnyte 13. Click on Settings > External Authentication > SAML (SSO). 14. Check Enable SAML (SSO) check box. www.egnyte.com 2015 by Egnyte Inc. All rights reserved. 12
17. In the Idp Name field, select lowercase adfs. 18. In the IdP Account Name field, type your Egnyte domain name. 19. In the IdP target URL field, type the following: https://<your ADFS server name>/adfs/ls/ 20. In the IdP Issuer URL field, type the following: http://<your ADFS server name>/adfs/services/trust 20. Paste the public key from federation metadata file (It should be your service communication certificate) in the field marked SAML Certificate. Be sure to remove the BEGIN and END delimiter lines. 21. In the Default User Mapping you can select Egnyte username or email address, depending on the key you selected to authenticate with in Step 12 above. Once you click Save, your ADFS settings will be successfully applied and your users will be able to log in to your domain with their ADFS credentials. www.egnyte.com 2015 by Egnyte Inc. All rights reserved. 13