Breadcrumbs

SAML Single Sign-On Support

You can use SAML SSO to control the authorization and authentication of hosted user accounts that can access FileCloud Web based interface.

  • SAML is an XML-based open standard data format for exchanging authentication and authorization data between parties.

  • FileCloud supports SAML (Security Assertion Markup Language) based web browser Single Sign On (SSO) service

  • FileCloud acts as a Service Provider (SP) while the Customer or Partner acts as the identity provider (IdP).  FileCloud SAML SSO service is based on SAML v2.0 specifications.

SSO Login Diagram

SSO Login Diagram

The following process explains how the user logs into a hosted FileCloud application through customer-operated SAML based SSO service.

image2015-7-26 19:32:25.png

  1. The user attempts to reach the hosted FileCloud application through the URL.

  2. FileCloud generates a SAML authentication request. The SAML request is embedded into the URL for the customer’s SSO Service.

  3. FileCloud sends a redirect to the user’s browser. The redirect URL includes the SAML authentication request and is submitted to customer’s SSO Service.

  4. The Customer’s SSO Service authenticates the user based on valid login credentials.

  5. The customer generates a valid SAML response and returns the information to the user’s browser.

  6. The customer SAML response is redirected to FileCloud.

  7. The FileCloud authentication module verifies the SAML response.

  8. If the user is successfully authenticated, the user will be successfully logged into FileCloud.

When the IdP successfully authenticates the user account, the FileCloud (SP) authentication module verifies that the user account exists in FileCloud.
If the user account does not exist in FileCloud, then a new user account is created and the user is logged into FileCloud.

SSO Configuration Steps

In order to successfully configure SAML SSO, the following steps must be followed.

  1. Configure Apache Webserver.
    To configure Apache Webserver for SAML SSO, please Contact FileCloud Support.

2. Ensure the correct FileCloud URL is set and uses HTTPS

  1. In the FileCloud admin portal's left navigation bar, scroll down and click Settings. Then, on the Settings navigation page, click Server  ServerIcon.png .
    The Server settings page opens.

  2. In the Server URL field, confirm that your URL begins with HTTPS.

  3. Click Check URL to make sure your URL is valid.

    CheckURL2.png
3. Set SAML as the default single sign-on method in FileCloud

To set the SSO type in FileCloud:


  1. In the FileCloud admin portal's left navigation bar, scroll down and click Settings. Then, on the Settings navigation page, click SSO SSOIcon.png .
    The SSO page opens.

  2. In Default SSO Type, select SAML.
    ChooseSAML2.png

4. Configure IdP settings in FileCloud

Note:  If you are using Active Directory Federation Services (ADFS) Support for authentication, see ADFS Single Sign-On Support.

To configure IdP settings in FileCloud:

  1. In the FileCloud admin portal SSO settings page, fill in the settings under SAML Settings.

    SSOTop2.png


    image-20251114-200834.png


Use the following table to understand the IdP settings.

FileCloud Parameters

IdP Settings

IdP End Point URL

Identity Provider URL

Idp Username Parameter

Identifies the Username (must be unique for each user)

  • Usually uid or agencyUID

  • Default value: uid

NOTE: The username must be unique. If username sent by Idp is in email format, the email prefix will be used for username. The email prefix in this case must be
unique.

IdP Email Parameter

Identifies the email of the user (must be unique)

Default value: mail

IdP Given Name Parameter

Identifies the given name of the user

Default value: givenName

IdP Surname Parameter

Identifies the surname of the user

Default value: sn

IdP Log Out URL (Optional)

URL for logging out of IdP

Limit Logon to IdP Group

IdP Group Name

  • Specifying a group name means that a user can login through SAML SSO only when the Identity Provider indicates that the user belongs to the specified IdP group

  • The IdP must send this group name through the memberof parameter

  • The memberof parameter can include a comma separated value of all groups to which the user belongs

Show the IdP Logon Screen

Identifies which Logon screen the user will see:

  • FileCloud screen = not selected

  • IdP screen = selected

IdP Metadata

Identity Provider metadata in XML Format

SSO Error Message (Optional)

Custom error message that appears when a login is invalid. Enter in HTML format, and use the variable ^MESSAGE^, which shows error details when SSO login fails.
For example:

<h1>^MESSAGE^</h1>

Allow Account Signups

Added in FileCloud 20.1

When TRUE, during the login process, if the user account does not exist, a new FileCloud user account is created automatically.

Automatic Account Approval

Added in FileCloud 20.1

This setting works with the Allow Account Signups setting to determine:

  • If the account created by the user is disabled until the administrator approves it

  • If the account is approved with a specific level of access automatically without intervention from the Administrator.

  • Possible values are:
    0 - No automatic approval, Admin has to approve account
    1 - Automatically approve new accounts to Full User
    2 - Automatically approve new accounts to Guest User
    3 - Automatically approve new accounts to External User



Enable ADFS

No

User login token expiration match Idp expiration

If enabled the user token expiration will be set based on Idp expiration settings

If not enabled user token expiration will be set based on FileCloud Session Timeout
(FileCloud admin UI - Settings - Server - Session Timeout in Days)

Default: No (Not enabled) 

Enable Browser-Only SSO Session Timeout

Added in FileCloud 23.232.1

If enabled, SSO session timeouts apply to browser sessions but not to client sessions.

Show the Idp Login Screen

If enabled, automatically redirect user to Idp log-in screen.

Log Level

Set the Log mode for the SAML Calls.

Default Value: prod (Do not use DEV for production systems)

Allow SSO for external users

Added in FileCloud 23.253

Only appears if feature is included in license.
If enabled, external users can log in to FileCloud using SSO.
Default value: Disabled.
5. Register FileCloud as a Service Provider (SP) with the IdP

 Use the following URL (Entity ID) to register FileCloud as an SP with IdP or ADFS.  The URL below also provides the metadata of the FileCloud SP:

http://<Your Domain>/simplesaml/module.php/saml/sp/metadata.php/default-sp

6. Enable the SSO link on the login page

 You can customize the user log-in screen to display the SSO log-in option along with the direct log-in option or to only display the SSO log-in.

To display the SSO log-in option along with the direct log-in option:

  1. From the left navigation pane, click Customization

  2. Select the General  tab, and then the Login sub-tab.

  3. Check Show SSO Link and Show Login Options.
    FCSSOSetup.png

  4. Save your changes.
    Now, when users access the user portal log-in page, they will see:
    FCSSO.png

    On clicking the Single Sign-On link on the login page, the user is redirected to the SAML SSO Service web page. 

To only display the SSO log-in the user portal or the admin portal, please Contact FileCloud Support.