This guide will walk you through how to set up SSO for Egnyte using ADFS. Egnyte supports ADFS integration for customers running Windows Server 2008, 2008 R2, and Windows Server 2012. If you are running 2008 R2, please note that you will need to install Windows Server 2008 Rollup Patch 2 first.
Add Egnyte as a Relying Party Trust within ADFS
*This configuration is done using a Windows 2012 R2 server
1. To begin, open the AD FS Management by going to the Windows Start Menu > Administrative Tools > AD FS Management.
2. From the right-hand "Actions" pane of the ADFS 2.0 Management screen, select the "Add Relying Party Trust" option.
3. Select "Start".
4. On the "Select Data Source" screen, select the option labeled "Enter data about the relying party manually" and click "Next".
5. On the "Specify Display Name" screen, give the Relying Party Trust a descriptive and unique name (we suggest "Egnyte SSO") and click "Next".
6. On the "Choose Profile" screen, select the "AD FS 2.0 profile" option to enable SAML 2.0 authentication and click "Next".
*Note: You may also skip the next page regarding the “Optional Token Encryption Certificate.”
7. Continue to the "Configure URL" screen. Check the box labeled "Enable support for the SAML 2.0 WebSSO protocol" and enter your SAML 2.0 SSO service URL
This URL is unique to your Egnyte Domain and is expressed in all lower case as follows: https://<your-custom-subdomain>.egnyte.com/samlconsumer/adfs
*Note: Please ensure that “/adfs” is all lower-case!
8. On the "Configure Identifiers" screen, (1) add a "Relying party trust identifier". Type in: https://<your-domain>.egnyte.com
Click the (2) Add button. The identifier will appear in the list of party trust identifiers below.
9. On the "Choose Issuance Authorization Rules" screen, you may choose to have ADFS allow all domain users access by default, or none. This decision is up to you, but we recommend that you leave "Permit all users to access this relying party" selected initially while you continue the setup process.
10. On the "Ready to Add Trust" screen, you have the opportunity to review the selections you made in the previous screens. If you are satisfied, click "Next".
11. On the "Finish" screen, check the box next to the option to "Open the Edit Claim Rules dialog for this relying trust when the wizard closes".
12. In the "Edit Claim Rules" dialog, click the button labeled "Add Rule".
13. On the "Choose Rule Type" screen, you will be prompted to select a "Claim rule template". Preserve the default value, "Send LDAP Attributes as Claims".
14. On the "Configure Claim Rule" screen you will be prompted for a rule name, an attribute store, and a set of LDAP attributes.
- (1) An appropriate claim rule name would be something like "Send Email Address" or "Send User Name".
- (2) For an "Attribute store", select "Active Directory".
Below this option, you will see a table with two columns, one labeled "LDAP Attribute" and the other "Outgoing Claim Type".
- If you selected "Send Username" in the "Claim Rule Name" box: In the first row, select an (3) LDAP attribute of "Sam-Account-Name" and an (4) outgoing claim type of "Name ID".
- If you selected "Send Email Address" in the "Claim Rule Name" box: In the first row, select an (3) LDAP attribute of "Email Address" and an outgoing claim type of "Name ID".
*Note - For Email Address; this does not use AD user account’s “Email Address”, but the UPN (User Principal Name)
15. All of the necessary claim rules are in place. Click "Finish" to exit the claim rules dialog.
Extracting the Public Key from the Identity Provider Certificate
Note: You will need the Public Key from the Token-Sign Certificate when you are configuring ADFS within Egnyte.
1. Token-Sign Certificate will be located in your AD FS Management Window – ADFS -> Service -> (1) Certificates -> (2) Token-Signing:
2. (3) “View the certificate” -> Navigate to (4) “Details” tab ->(5) select “Copy to File” – this will take you to the “Certificate Export Wizard.”
3. Continue to the “Export File Format” page and select the (6) “Base-64 encoded X.509 (CER).”
4. Finish the “Certificate Export Wizard” and find the file location of the newly exported certificate. Open the file with a text editor and you should see the following.
5. Copy the text between “Begin” and “End” and paste it into the Egnyte Configuration for Identity Provider Certificate when you begin configuring ADFS within Egnyte.
Configure ADFS within Egnyte
1. Using an Administrator account, login to your cloud domain, <yourdomain.egnyte.com>.
2. Navigate to "Settings" -> (1) “Configuration” -> (2) "Security & Authentication" -> Scroll down to (3) "Single Sign-On Authentication".
3. Select "SAML 2.0".
4. Fill out the SAML (SSO) section using the following instructions
a. Identity Provider: adfs
b. Identity provider login URL: https://<your ADFS External URL>/adfs/ls/
c. Identity provider entity ID: http://<your ADFS External URL>/adfs/services/trust
d. Identity provider certificate: Paste the public key from federation metadata file (it should be your token signing certificate). Be sure to remove the BEGIN and END delimiter lines. (Please refer to the previous section “Extracting the Public Key from the Identity Provider Certificate”).
e. Default user mapping: You can select Egnyte username or email address, depending on the key you selected to authenticate with.
f. Enable “Domain-Specific Issuer Value”.
g. Click "Save" and your ADFS settings will be successfully applied and your users will be able to log into your domain with their ADFS credentials.