This guide will walk you through how to set up SSO for Egnyte using Active Directory Federation Services (ADFS). Egnyte supports ADFS integration for customers running Windows Server 2008, 2008 R2, and Windows Server 2012. If you are running 2008 R2, please note that you will need to install Windows Server 2008 Rollup Patch 2 first.
Add Egnyte as a Relying Party Trust within ADFS2.0
Add Egnyte as a Relying Party Trust within ADFS3.0
Add Egnyte as a Relying Party Trust within ADFS4.0
Add Egnyte as a Relying Party Trust within ADFS2.0
This configuration is done using a Windows 2012 R2 server.
- To begin, open the AD FS Management by going to the Windows Start Menu, selecting Administrative Tools, and choosing AD FS Management.
- From the right-hand Actions pane of the ADFS 2.0 Management screen, select the Add Relying Party Trust option.
- Select Start.
- Select the option labeled Enter data about the relying party manually and click Next.
- Give the Relying Party Trust a descriptive and unique name (we suggest Egnyte SSO) and click Next.
- Select the AD FS 2.0 profile option to enable SAML 2.0 authentication and click Next.
You may skip the next page regarding the “Optional Token Encryption Certificate.”
- Continue to the Configure URL screen.
- Check the box labeled Enable support for the SAML 2.0 WebSSO protocol, enter your SAML 2.0 SSO service URL (template provided below), and click Next.
If your domain has been configured for SAML SSO before February 20th, 2019: https://<your-custom-subdomain>.egnyte.com/samlconsumer/adfs
Please ensure 'adfs' is in all lowercase.
If your domain has never been configured for SAML SSO: https://<your-custom-subdomain>.egnyte.com/samlconsumer/ - Add a Relying party trust identifier (1). Type in: https://<your-domain>.egnyte.com
Click the Add button (2). The identifier will appear in the list of party trust identifiers below. - Select I do not want to configure multi-factor authentication settings for this party trust at this time and click Next.
- You may choose to have ADFS allow all domain users access by default or none. This decision is up to you, but we recommend that you leave Permit all users to access this relying party selected initially while you continue the setup process.
- Review the selections you made in the previous screens. If you're satisfied, click Next.
- Check the box next to the option to Open the Edit Claim Rules dialog for this relying trust when the wizard close and select Close.
- In the Edit Claim Rules dialog, click the button labeled Add Rule.
- Set the Claim rule template as Send LDAP Attributes as Claims.
This may be the default option selected.
- On the Configure Claim Rule screen, you will be prompted for a rule name, an attribute store, and a set of LDAP attributes. You can see examples of these values below.
1) An appropriate claim rule name would be something like Send Email Address or Send User Name.
2) For an Attribute store, select Active Directory.
If you selected Send Username in the Claim Rule Name box: In the first row, select a (3) LDAP attribute of Sam-Account-Name and a (4) outgoing claim type of Name ID.
If you selected Send Email Address in the Claim Rule Name box: In the first row, select an (3) LDAP attribute of Email Address and an outgoing claim type of Name ID.
For Email Address; this does not use AD user account’s Email Address, but the UPN (User Principal Name).
- Click Finish to exit the claim rules dialog.
Extracting the Public Key from the Identity Provider Certificate
You will need the Public Key from the Token-Sign Certificate when you are configuring ADFS within Egnyte.
The Token-Sign Certificate will be located in your AD FS Management Window. Use the steps below to locate it.
- Click on Certificates (1), choose Token-Signing (2) from the list, and select View Certificate (3) from the Action menu.
- Navigate to the Details tab (4) and select Copy to File (5).
- You should see a Certificate Export Wizard dialog window appear (see below). Click Next.
- Select the Base-64 encoded X.509 (.CER) (6) option and click Next.
- Finish the Certificate Export Wizard and find the file location of the newly exported certificate. Open the file with a text editor, and you should see the following.
- Copy the text between Begin Certificate and End Certificate (not including dashes) and paste it into the Egnyte Configuration for Identity Provider Certificate when you begin configuring ADFS within Egnyte.
Configure ADFS within Egnyte
- Using an Administrator account, log into Egnyte.
- Navigate to Settings, select the Security & Authentication option, scroll down to Single Sign-On Authentication, and select SAML 2.0 from the drop-down.
- Fill out the SAML (SSO) section using the following instructions:
Identity provider: ADFS v2 or lower with HTTP POST
Identity provider login URL: https://<your ADFS External URL>/adfs/ls
Identity provider entity ID: http://<your ADFS External URL>/adfs/services/trust
Identity provider certificate: Paste the public key from federation metadata file (it should be your token signing certificate). Be sure to remove the BEGIN and END delimiter lines. Please refer to the previous section Extracting the Public Key from the Identity Provider Certificate if you have any questions.
Default user mapping: You can select Egnyte username or email address, depending on the key you selected to authenticate with.
Use domain-specific Issuer value: Enabled - Click Save and your ADFS settings will be successfully applied, and your users will be able to log into your domain with their ADFS credentials.
Add Egnyte as a Relying Party Trust within ADFS3.0
This configuration is done using a Windows 2012 R2 server.
- To begin, open the AD FS Management by going to the Windows Start Menu, selecting Administrative Tools, and choosing AD FS Management.
- From the right-hand Actions pane of the ADFS 2.0 Management screen, select the Add Relying Party Trust option.
- Select Start
- Select the option labeled Enter data about the relying party manually and click Next.
- Give the Relying Party Trust a descriptive and unique name (we suggest Egnyte SSO) and click Next.
- Select the AD FS 2.0 profile option to enable SAML 2.0 authentication and click Next.
You may skip the next page regarding the “Optional Token Encryption Certificate.”
- Continue to the Configure URL screen.
- Check the box labeled Enable support for the SAML 2.0 WebSSO protocol, enter your SAML 2.0 SSO service URL (template provided below), and click Next.
If your domain has been configured for SAML SSO before February 20th, 2019: https://<your-custom-subdomain>.egnyte.com/samlconsumer/ADFS3
Please ensure 'ADFS3' is in all uppercase.
If your domain has never been configured for SAML SSO: https://<your-custom-subdomain>.egnyte.com/samlconsumer/ - Add a Relying party trust identifier (1). Type in: https://<your-domain>.egnyte.com
Click the Add button (2). The identifier will appear in the list of party trust identifiers below. - Select I do not want to configure multi-factor authentication settings for this party trust at this time and click Next.
- You may choose to have ADFS allow all domain users access by default or none. This decision is up to you, but we recommend that you leave Permit all users to access this relying party selected initially while you continue the setup process.
- Review the selections you made in the previous screens. If you're satisfied, click Next.
- Check the box next to the option to Open the Edit Claim Rules dialog for this
relying trust when the wizard close and select Close. - In the Edit Claim Rules dialog, click the button labeled Add Rule.
- Set the Claim rule template as Send LDAP Attributes as Claims.
This may be the default option selected.
- On the Configure Claim Rule screen, you will be prompted for a rule name, an attribute store, and a set of LDAP attributes. You can see examples of these values below.
1) An appropriate claim rule name would be something like Send Email Address or Send User Name.
2) For an Attribute store, select Active Directory.
If you selected Send Username in the Claim Rule Name box: In the first row, select an (3) LDAP attribute of Sam-Account-Name and an (4) outgoing claim type of Name ID.
If you selected Send Email Address in the Claim Rule Name box: In the first row, select an (3) LDAP attribute of Email Address and an outgoing claim type of Name ID. - Click Finish to exit the claim rules dialog.
Extracting the Public Key from the Identity Provider Certificate
You will need the Public Key from the Token-Sign Certificate when you are configuring ADFS within Egnyte.
The Token-Sign Certificate will be located in your AD FS Management Window. Use the steps below to locate it.
- Click on Certificates (1), choose Token-Signing (2) from the list, and select View Certificate (3) from the Action menu.
- Navigate to the Details tab (4) and select Copy to File (5).
- You should see a Certificate Export Wizard dialog window appear (see below). Click Next.
- Select the Base-64 encoded X.509 (.CER) (6) option and click Next.
- Finish the Certificate Export Wizard and find the file location of the newly exported certificate. Open the file with a text editor, and you should see the following.
- Copy the text between Begin Certificate and End Certificate (not including dashes) and paste it into the Egnyte Configuration for Identity Provider Certificate when you begin configuring ADFS within Egnyte.
Configure ADFS within Egnyte
- Using an Administrator account, log into Egnyte.
- Navigate to Settings, select the Security & Authentication option, scroll down to Single Sign-On Authentication, and select SAML 2.0 from the drop-down.
- Fill out the SAML (SSO) section using the following instructions.
Identity provider: ADFS v3 or higher
Identity provider login URL: https://<your ADFS External URL>/adfs/ls/
Identity provider entity ID: http://<your ADFS External URL>/adfs/services/trust
Identity provider certificate: Paste the public key from federation metadata file (it should be your token signing certificate). Be sure to remove the BEGIN and END delimiter lines. Please refer to the previous section Extracting the Public Key from the Identity Provider Certificate if you have any questions.
Default user mapping: You can select Egnyte username or email address, depending on the key you selected to authenticate with.
Use domain-specific Issuer value: Enabled - Click Save and your ADFS settings will be successfully applied, and your users will be able to log into your domain with their ADFS credentials.
Add Egnyte as a Relying Party Trust within ADFS4.0
This configuration is done using a Windows 2012 R2 server.
- To begin, open the AD FS Management by going to the Windows Start Menu, selecting Administrative Tools, and choosing AD FS Management.
- From the right-hand Actions pane, select the Add Relying Party Trust option.
- Select Start.
- Select the option labeled Enter data about the relying party manually and click Next.
- Give the Relying Party Trust a descriptive and unique name (we suggest Egnyte SSO) and click Next.
- Select the AD FS 2.0 profile option to enable SAML 2.0 authentication and click Next.
You may skip the next page regarding the “Optional Token Encryption Certificate.”
- Continue to the Configure URL screen.
- Check the box labeled Enable support for the SAML 2.0 WebSSO protocol, enter your SAML 2.0 SSO service URL (template provided below), and click Next.
If your domain has been configured for SAML SSO before February 20th, 2019: https://<your-custom-subdomain>.egnyte.com/samlconsumer/ADFS3
Please ensure 'ADFS3' is in all uppercase.
If your domain has never been configured for SAML SSO: https://<your-custom-subdomain>.egnyte.com/samlconsumer/ - Add a Relying party trust identifier (1). Type in: https://<your-domain>.egnyte.com
Click the Add button (2). The identifier will appear in the list of party trust identifiers below. - Select I do not want to configure multi-factor authentication settings for this party trust at this time and click Next.
- You may choose to have ADFS allow all domain users access by default or none. This decision is up to you, but we recommend that you leave Permit all users to access this relying party selected initially while you continue the setup process.
- Review the selections you made in the previous screens. If you're satisfied, click Next.
- Check the box next to the option to Open the Edit Claim Rules dialog for this relying trust when the wizard close and select Close.
- In the Edit Claim Rules dialog, click the button labeled Add Rule.
- Set the Claim rule template as Send LDAP Attributes as Claims.
This may be the default option selected.
- On the Configure Claim Rule screen, you will be prompted for a rule name, an attribute store, and a set of LDAP attributes. You can see examples of these values below.
1) An appropriate claim rule name would be something like Send Email Address or Send User Name.
2) For an Attribute store, select Active Directory.
If you selected Send Username in the Claim Rule Name box: In the first row, select an (3) LDAP attribute of Sam-Account-Name and an (4) outgoing claim type of Name ID.
If you selected Send Email Address in the Claim Rule Name box: In the first row, select an (3) LDAP attribute of Email Address and an outgoing claim type of Name ID. - Click Finish to exit the claim rules dialog.
Extracting the Public Key from the Identity Provider Certificate
You will need the Public Key from the Token-Sign Certificate when you are configuring ADFS within Egnyte.
The Token-Sign Certificate will be located in your AD FS Management Window. Use the steps below to locate it.
- Click on Certificates (1), choose Token-Signing (2) from the list, and select View Certificate (3) from the Action menu.
- Navigate to the Details tab (4) and select Copy to File (5).
- You should see a Certificate Export Wizard dialog window appear (see below). Click Next.
- Select the Base-64 encoded X.509 (.CER) (6) option and click Next.
- Finish the Certificate Export Wizard and find the file location of the newly exported certificate. Open the file with a text editor, and you should see the following.
- Copy the text between Begin Certificate and End Certificate (not including dashes) and paste it into the Egnyte Configuration for Identity Provider Certificate when you begin configuring ADFS within Egnyte.
Configure ADFS within Egnyte
- Using an Administrator account, log into Egnyte.
- Navigate to Settings, select the Security & Authentication option, scroll down to Single Sign-On Authentication, and select SAML 2.0 from the drop-down.
- Fill out the SAML (SSO) section using the following instructions.
Identity provider: ADFS v3 or higher
Identity provider login URL: https://<your ADFS External URL>/adfs/ls/
Identity provider entity ID: http://<your ADFS External URL>/adfs/services/trust
Identity provider certificate: Paste the public key from federation metadata file (it should be your token signing certificate). Be sure to remove the BEGIN and END delimiter lines. Please refer to the previous section Extracting the Public Key from the Identity Provider Certificate if you have any questions.
Default user mapping: You can select Egnyte username or email address, depending on the key you selected to authenticate with.
Use domain-specific Issuer value: Enabled - Click Save and your ADFS settings will be successfully applied, and your users will be able to log into your domain with their ADFS credentials.
- In ADFS, update the SAML consumer so that the URL matches the one applied in step 8 of the Add Egnyte as a Relying Party Trust within ADFS4.0 section.