This guide will walk you through how to set up SSO for Egnyte using ADFS. Egnyte supports ADFS integration for customers running Windows Server 2008, 2008 R2, and Windows Server 2012. If you are running 2008 R2, please note that you will need to install Windows Server 2008 Rollup Patch 2 first.
Add Egnyte as a Relying Party Trust within ADFS
1. From the right-hand "Actions" pane of the ADFS 2.0 Management screen, select the "Add Relying Party Trust" option.
2. Select "Start".
3. On the "Select Data Source" screen, select the option labeled "Enter data about the relying party manually" and click "Next".
4. On the "Specify Display Name" screen, give the Relying Party Trust a descriptive and unique name (we suggest "Egnyte SSO") and click "Next".
5. On the "Choose Profile" screen, select the "AD FS 2.0 profile" option to enable SAML 2.0 authentication and click "Next".
6. Continue to the "Configure URL" screen. Check the box labeled "Enable support for the SAML 2.0 WebSSO protocol" and enter your SAML 2.0 SSO service URL.
This URL is unique to your company and is expressed in all lower case as follows: https://<your-custom-subdomain>.egnyte.com/samlconsumer/adfs
7. On the "Configure Identifiers" screen, add a "Relying party trust identifier". Type in: https://saml-auth.egnyte.com
Click the Add button. The identifier will appear in the list of party trust identifiers below.
8. On the "Choose Issuance Authorization Rules" screen, you may choose to have ADFS allow all domain users access by default, or none. This decision is up to you, but we recommend that you leave "Permit all users to access this relying party" selected initially while you continue the setup process.
9. On the "Ready to Add Trust" screen, you have the opportunity to review the selections you made in the previous screens. If you are satisfied, click "Next".
10. On the "Finish" screen, check the box next to the option to "Open the Edit Claim Rules dialog for this relying trust when the wizard closes".
11. In the "Edit Claim Rules" dialog, click the button labeled "Add Rule".
12. On the "Choose Rule Type" screen, you will be prompted to select a "Claim rule template". Preserve the default value, "Send LDAP Attributes as Claims".
13. On the "Configure Claim Rule" screen you will be prompted for a rule name, an attribute store, and a set of LDAP attributes.
An appropriate claim rule name would be something like "Send Email Address" or "Send User Name".
For an "Attribute store", select "Active Directory".
Below this option you will see a table with two columns, one labeled "LDAP Attribute" and the other "Outgoing Claim Type".
If you selected "Send Username" in the "Claim Rule Name" box: In the first row, select an LDAP attribute of "Sam-Account-Name" and an outgoing claim type of "Name ID".
If you selected "Send Email Address" in the "Claim Rule Name" box: In the first row, select an LDAP attribute of "Email Address" and an outgoing claim type of "Name ID".
14. All of the necessary claim rules are in place. Click "OK" to exit the claim rules dialog.
Configure ADFS within Egnyte
1. Navigate to "Settings" --> "Security & Authentication" --> "Single Sign-On Authentication".
2. Select "SAML 2.0".
Fill out the SAML (SSO) section using the following instructions
- Idenitity provider login URL: https://<your ADFS server name>/adfs/ls/
- Identity provider entity ID: http://<your ADFS server name>/adfs/services/trust
- Identity provider certificate: Paste the public key from federation metadata file (it should be your token signing certificate). Be sure to remove the BEGIN and END delimiter lines.
- Default user mapping: You can select Egnyte username or email address, depending on the key you selected to authenticate with.
- Click "Save" and your ADFS settings will be successfully applied and your users will be able to log into your domain with their ADFS credentials.