Setting Up SAML Authentication for Admins with Cloudi-Fi & Microsoft Active Directory Federation Services (ADFS).
Use case
The following sections will provide step-by-step instructions to set-up a SAML authentication for your Cloudi-Fi administrators with Cloudi-Fi and Microsoft ADFS.
Prerequisites
"SAML for Administrators" URLs
Navigate to the Cloudi-Fi Admin user interface (UI)
Go to "Configuration" > "Auth modes" > "SAML for Administrators"
Collect the necessary information
Linkback URL
https://admin.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/sp-saml4admin/************
- ***** is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account)
- To find your Cloudi-fi public key, go to the Cloudi-fi Admin interface, navigate to "Settings", then "Company Account"
Cloudi-Fi Entity ID
https://admin.cloudi-fi.net/
Sign On URL
https://admin.cloudi-fi.net/sso/************
- ***** is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account)
If "SAML for Administrators" is not available, please open a ticket to Cloudi-Fi Support (How to contact your Cloudi-Fi support ?)
1. Add a SAML Configuration
From the AD FS management tool, right-click AD FS from the left panel, click Edit Federation Service Properties, and get the value of the Federation Service identifier.
Please go ahead and return to Cloudi-Fi interface Settings Auth modes and paste the value in the Login Endpoint field.
From the AD FS management tool, go to the AD FS Service Endpoints tab, search for and copy the URL path with a Type of SAML 2.0/WS-Federation.
Go back to Cloudi-Fi interface Settings Auth modes and paste the path prefixing it with your server URL (ex https://YOUR_ADFS_DOMAIN/adfs/ls) into the Entity ID field.
From the AD FS management tool, go to AD FS Service Certificates, click right the certificate under Token-signing, and click on View Certificate. From the Certificate dialog, go to the Details tab and click on Copy to File.
The Certificate export wizard opens, click Next and export the Certificate to Base-64 encoded X.509 (.CER)
Open the exported certificate file and copy (without "Begin Certificate" and "End certificate" markers). Go back to the Cloudi-Fi interface and paste into the field IdP Signing Certificate (x509 format)
2. Create a relying party trust
From the AD FS management tool, expand AD FS from the left panel, select Relying Party Trusts, and click Add Relying Party Trust.
Select Claims Aware and then select Enter data about relying party manually and click Next.
Please give it a name and a description, and then click Next.
On the Configure certificate, download the Cloudi-Fi SAML public certificate Click on Browse and add the certificate.
Select Enable support for the SAML 2.0 WebSSO protocol on the Configure URL.
From Cloudi-Fi, copy Identifier (Entity ID), paste the value into Relying party SAML 2.0 SSO Service URL field, and click Next.
From the Cloudi-Fi interface, get the Reply URL (Assertion Consumer Service URL), paste the value into the Relying party trust identifier field, and click add, then Next.
Relying party SAML 2.0 SO service URL:
From the access control policy lists, select Permit Everyone and click Next.
Check the parameters on the Ready to Add Trust tab, click Next, and then Close the Wizard.
3. Edit claim rules
From the AD FS management tool, go to Relying Party Trust, right-click on the relying party trust you recently added, click Edit Claim Issuance Policy, and then add a new Rule.
Select Send LDAP Attributes as Claims
Give it a name and add the Mapping as follows.
From the Cloudi-Fi interface, configure it as follows:
Email Attribute name: Claim name corresponding to the email value.
Enable Administrator auto-provisioning and type the Claim name corresponding to the profile (or group) in the SAML Profile Attribute field.
The Group or profile value MUST be mono-valued.