Egnyte Help Desk

Active Directory Federation Services Installation Guide

Introduction

This guide will walk you through how to set up SSO for Egnyte using ADFS.  Egnyte supports ADFS integration for customers running Windows Server 2008, 2008 R2, and Windows Server 2012.  If you are running 2008 R2, please note that you will need to install Windows Server 2008 Rollup Patch 2 first.

Add Egnyte as a Relying Party Trust within ADFS

Extracting the Public Key from the Identity Provider Certificate

Configure ADFS within Egnyte

 

Add Egnyte as a Relying Party Trust within ADFS

*This configuration is done using a Windows 2012 R2 server

1. To begin, open the AD FS Management by going to the Windows Start Menu > Administrative Tools > AD FS Management.

adfs1.png

 

2. From the right-hand "Actions" pane of the ADFS 2.0 Management screen, select the "Add Relying Party Trust" option.

adfs2.png

3. Select "Start".

adfs3.png

4. On the "Select Data Source" screen, select the option labeled "Enter data about the relying party manually" and click "Next".

adfs4.png

5. On the "Specify Display Name" screen, give the Relying Party Trust a descriptive and unique name (we suggest "Egnyte SSO") and click "Next".

adfs5.png

6. On the "Choose Profile" screen, select the "AD FS 2.0 profile" option to enable SAML 2.0 authentication and click "Next".

adfs6.png

*Note: You may also skip the next page regarding the “Optional Token Encryption Certificate.”

 7. Continue to the "Configure URL" screen.  Check the box labeled "Enable support for the SAML 2.0 WebSSO protocol" and enter your SAML 2.0 SSO service URL

This URL is unique to your Egnyte Domain and is expressed in all lower case as follows: https://<your-custom-subdomain>.egnyte.com/samlconsumer/adfs

*Note: Please ensure that “/adfs” is all lower-case!

adfs7.png

8. On the "Configure Identifiers" screen, (1) add a "Relying party trust identifier".  Type in: https://<your-domain>.egnyte.com

adfs8.png

Click the (2) Add button.  The identifier will appear in the list of party trust identifiers below.

adfs9.png

9. On the "Choose Issuance Authorization Rules" screen, you may choose to have ADFS allow all domain users access by default, or none.  This decision is up to you, but we recommend that you leave "Permit all users to access this relying party" selected initially while you continue the setup process.

adfs10.png

10. On the "Ready to Add Trust" screen, you have the opportunity to review the selections you made in the previous screens.  If you are satisfied, click "Next".

adfs11.png

11. On the "Finish" screen, check the box next to the option to "Open the Edit Claim Rules dialog for this relying trust when the wizard closes".

adfs12.png

12. In the "Edit Claim Rules" dialog, click the button labeled "Add Rule".

adfs13.png

13. On the "Choose Rule Type" screen, you will be prompted to select a "Claim rule template".  Preserve the default value, "Send LDAP Attributes as Claims".

adfs14.png

14. On the "Configure Claim Rule" screen you will be prompted for a rule name, an attribute store, and a set of LDAP attributes.

adfs15.png

- (1) An appropriate claim rule name would be something like "Send Email Address" or "Send User Name".

adfs16.png

- (2) For an "Attribute store", select "Active Directory".

adfs17.png

Below this option, you will see a table with two columns, one labeled "LDAP Attribute" and the other "Outgoing Claim Type".

- If you selected "Send Username" in the "Claim Rule Name" box: In the first row, select an (3) LDAP attribute of "Sam-Account-Name" and an (4) outgoing claim type of "Name ID".

adfs18.png

- If you selected "Send Email Address" in the "Claim Rule Name" box: In the first row, select an (3) LDAP attribute of "Email Address" and an outgoing claim type of "Name ID".

adfs19.png

*Note - For Email Address; this does not use AD user account’s “Email Address”, but the UPN (User Principal Name)

15. All of the necessary claim rules are in place.  Click "Finish" to exit the claim rules dialog.

 

Extracting the Public Key from the Identity Provider Certificate

Note: You will need the Public Key from the Token-Sign Certificate when you are configuring ADFS within Egnyte.

 1. Token-Sign Certificate will be located in your AD FS Management Window – ADFS -> Service -> (1) Certificates -> (2) Token-Signing:

adfs20.png

2. (3) “View the certificate” -> Navigate to (4) “Details” tab ->(5) select “Copy to File” – this will take you to the “Certificate Export Wizard.”

adfs21.png

adfs22.png

3.  Continue to the “Export File Format” page and select the (6) “Base-64 encoded X.509 (CER).”

adfs23.png

4.  Finish the “Certificate Export Wizard” and find the file location of the newly exported certificate. Open the file with a text editor and you should see the following.

adfs24.png

5.  Copy the text between “Begin” and “End” and paste it into the Egnyte Configuration for Identity Provider Certificate when you begin configuring ADFS within Egnyte.

 

Configure ADFS within Egnyte

1. Using an Administrator account, login to your cloud domain, <yourdomain.egnyte.com>.

2. Navigate to "Settings" -> (1) “Configuration” -> (2) "Security & Authentication" -> Scroll down to (3) "Single Sign-On Authentication". 

adfs25.png

 adfs26.png

 3. Select "SAML 2.0".

4. Fill out the SAML (SSO) section using the following instructions

adfs29.png

a. Identity Provider: adfs

b. Identity provider login URL: https://<your ADFS External URL>/adfs/ls/

c. Identity provider entity ID: http://<your ADFS External URL>/adfs/services/trust

d. Identity provider certificate: Paste the public key from federation metadata file (it should be your token signing certificate). Be sure to remove the BEGIN and END delimiter lines. (Please refer to the previous section “Extracting the Public Key from the Identity Provider Certificate”).

adfs30.png

e. Default user mapping: You can select Egnyte username or email address, depending on the key you selected to authenticate with.

f. Enable “Domain-Specific Issuer Value”.

g. Click "Save" and your ADFS settings will be successfully applied and your users will be able to log into your domain with their ADFS credentials.

Egnyte Community

Egnyte Community

Want to connect with other Egnyte users and our Egnyte team? Share ideas and ask questions in our Community.

Help Improve Egnyte

Every day we work hard to make Egnyte better with feedback from users to improve our products. Sign up to participate in Egnyte User Studies.