Integrating with SSO (SAML)
FileAgo supports integration with SAML-based Single Sign On services like Azure AD and OneLogin.
Introduced in 2001, Security Assertion Markup Language (SAML) is an XML based protocol used for single sign-on (SSO) authentication and authorization to web-based applications.
Certain manual changes are to be made in the FileAgo configuration in order to configure SSO correctly. Contact Support if you wish to enable this feature in your FileAgo Self-hosted server.
FileAgo Cloud customers who are subscribed to Advanced or Enterprise plans should contact Support if they wish to enable this feature.
FileAgo acts as Service Provider (SP), and can work with any SAML-based Identity Provider (IdP).
An example workflow of how we enable SSO for customers is as follows:
- Customer contacts FileAgo Support team requesting to enable SSO, who will first create a new SSL certficate (example command given below) and provide it to the customer. This certificate will be used to configure secure communication between SP and IdP.
# openssl req -newkey rsa:2048 -nodes -keyout domain.key -x509 -days 3650 -out domain.crt - Customer will create a new application at IdP end (see steps for Azure AD below), and provide the necessary details back to FileAgo Support team.
- FileAgo Support team will configure and enable SSO based on the details provided by the customer.
Azure AD
The following example lists the steps necessary to configure Azure AD (IdP) to work with FileAgo workspace hosted at https://acmeinc.fileago.io (SP).
acmeinc.fileago.io with the hostname of your server at step 4.- Log into Azure Active Directory admin center (https://aad.portal.azure.com/)
- Go to “Enterprise applications” -> “New application” -> “Non-gallery application”
- name of application: “FileAgo”
- click “Add”
- Enable SAML-based Sign-on via “Enterprise Applications” -> “FileAgo” -> “Single sign-on” -> “SAML”
- Under “Basic SAML Configuration” section, set:
- Identifier (Entity ID):
https://acmeinc.fileago.io/saml/metadata - Reply URL (Assertion Consumer Service URL):
https://acmeinc.fileago.io/saml/consume - Sign on URL:
https://acmeinc.fileago.io/saml/login - Logout Url:
https://acmeinc.fileago.io/redirect_login.html?logout=true
- Identifier (Entity ID):
- Do not edit the default pairings created under “User Attributes & Claims” section
- Under “SAML Signing Certificate” section, click on “Add a certificate”, and then download the certificate (pem) and save as “idp.pem”
- Under “Set up FileAgo” section, note the values for “Login URL” and “Logout URL”. We will use it to configure FileAgo SP configuration later
- Import certificate from FileAgo SP configuration (the one created by FileAgo Support team) to “Enterprise Applications” -> “FileAgo” -> “Security” -> “Token Encryption”
- Right-click on the imported certificate and then “Activate token encryption”
- Allow necessary users via “Enterprise Applications” -> “FileAgo” -> “Manage” -> “Users and groups”
You have successfully created application at Azure AD end now. The information necessary to further configure FileAgo has been collected in steps 6 and 7. Share them with FileAgo Support team in order to complete the process of enabling SSO in your cloud / self-hosted FileAgo.