connecting ezeep to your directory service via saml...describes the steps required to connect an...
TRANSCRIPT
1
www.ezeep.com +1-720-253-1400 [email protected]
ContentsIntroduction ....................................................................................................................................................................................................2
Requirements .................................................................................................................................................................................................2
Setup Steps ...................................................................................................................................................................................................3
1.GetTokenSigningCertificate .....................................................................................................................................................3
2.CreateaSingleSignOnSettingssetinyourezeepPortal .......................................................................................................5
3. Enter SAML Settings ...................................................................................................................................................................6
4.CreateRelyingPartyTrust ..........................................................................................................................................................8
5.ConfigureClaimRules ............................................................................................................................................................. 10
5.1TransformanincomingClaim(EmailtoNameID) ........................................................................................ 12
5.2SendLDAPAttributesasClaim(Importantforgroupassignment) ............................................................ 14
6.SetupgroupsintheezeepPortal ........................................................................................................................................... 16
UserSign-On ................................................................................................................................................................................................ 17
Connecting ezeep to your Directory Service via SAML
2
www.ezeep.com +1-720-253-1400 [email protected]
IntroductionSAMListodaysstandardwhenitcomestoconnectingtheusermanagementofacloudservicewithadirectoryservice.ThismanualdescribesthestepsrequiredtoconnectanezeepaccounttoadirectoryservicelikeADFS,AzureActiveDirectory,PintIdentiy,miniOr-angeandothers.Whiletheconfigurationvariesbetweenthem,thefundamentalstepstoconnectarethesame.TheexamplesusedherearebasedonActiveDirectoryFederationServices.
Requirements•ezeepadministratoraccount•administratoraccountforyourdirectoryservice
3
www.ezeep.com +1-720-253-1400 [email protected]
Setup Steps 1. Get Token Signing CertificateFirst,weneedtogetthetoken-signingcertificatefromyourADFSserver.Wewillneedthistovalidatethattheincomingsecurityto-kenswereindeedcreatedbyyourADFSserverandnotmodifiedintransit.Microsoftstatesthatthepublic/privatekeypairingisthemostimportantvalidationmechanism.
Togetyourtoken-signingcertificate,goto
• ADFSManagementonyourADFSserver•UnderADFS/Service/CertificatesdoubleclickthevalueunderToken-signing•Underthetab“Details”choseCopytoFile...andexportthecertificateasBase-64encodedX.509(CER)• Storethefilesecurely,youwillneedtouploadittoourAdminportalinthenextstep
4
www.ezeep.com +1-720-253-1400 [email protected]
5
www.ezeep.com +1-720-253-1400 [email protected]
2. Create a Single Sign On Settings set in your ezeep Portal•Logintoyourezeepaccountasadministrator• Clickonyouraccount(youremailaddress/displaynameinourmenuontheleft)•UnderSingleSignOnyouwillfindthesettingsthatyouhavesetup(thereshouldbenoneyet)•Clickon“AddSSO”andchoseSAML2.0• A new popup will open with SAML settings
6
www.ezeep.com +1-720-253-1400 [email protected]
3. Enter SAML SettingsOurSAMLsettingsincludeallbasicsettingsthatyouneedtosetupforSAMLtoworkproperly.Enteryourspecificinformationandremembertosavethesettings.
Thistablecontainsthedetailsaboutthespecificsettings:
Setting Name Description Example
Name(RENAMEME)ThisisthenamethatwewillstoretheSAMLsetforyoutofind.Foryouraccountthisnameneedstobeunique.
"ThinPrintCloudSAMLSettings"
OrganizationIdentifier
ThisisyourOrganizationIDwhichisuniqueacrossourwholesolution.EachSAMLsettingneedsoneOrganizationID. WhenyourusersenterthisOrganizationIDat: https://accounts.ezeep.com/auth/signin/saml/ theywillbefollowingtheSAMLrulesetthatyousethereandforwardedtotheaccordingIdentityProvi-der Login URL.
ThinPrintCloud
EntityID TheentityIDofyourIdentityProvider. „http://adfsdc.cortsol.net/adfs/ services/trust“
IdentityProviderLoginURL
ThisistheloginURLofyouridentityproviderwhichinthiscaseisyourADFS.WhenusersenteryourOrganizationIDabovetheywillberedirectedtothisURL.
"https://adfsdc.cortsol.net/adfs/ls"
LoginBindingtype
Pickabindingtypeforyourloginrequests.ThissettingstateshowSAMLrequestandresponsemessagesaremapped.WerecommendtochoosetheHTTPredirectmethod.
•HTTPPost•HTTPredirect
Post„urn:cortsol:names:tc:SAML:2.0:bin-dings:HTTP-POST“
Redirect„urn:cortsol:names:tc:SAML:2.0:bin-dings:HTTP-Redirect“
IdentityProviderLogoutURLThisistheURLthatweredirecttheusertowhentheuseractivelywantstologoutofasessioninourportal.
"https://adfsdc.cortsol.net/adfs/ls/?wa=wsignout1.0"
LogoutBindingtype
Pickabindingtypeforyourlogoutrequests.ThissettingstateshowSAMLrequestandresponsemessagesaremapped.WerecommendtochoosetheHTTPredirectmethod.
•HTTPPost•HTTPredirect
Post„urn:cortsol:names:tc:SAML:2.0:bin-dings:HTTP-POST“
Redirect„urn:cortsol:names:tc:SAML:2.0:bin-dings:HTTP-Redirect“
IdentityProviderCertificate(Base64encoded)
Thisisthetoken-signingcertificatethatweexportedtofileinthefirststep„Get Token-Signing Certifica-te“.Youcanuploadithereforustostoresecurely.
„-----BEGINCERTIFICATE-----a++++R0XNd+bDaBH2Jqpdln0+//asdsa-dadasd=-----ENDCERTIFICATE-----“
7
www.ezeep.com +1-720-253-1400 [email protected]
8
www.ezeep.com +1-720-253-1400 [email protected]
4. Create Relying Party TrustTosetupezeepasanapplicationthatcanbetrustedbyyourADFS,youneedtocreateaRelyingPartyTrustonyourADFS.WehaveapreconfiguredxmlfileforyouthatcontainsallnecessaryinformationtoautomaticallyconfigureyourADFS.YoucanfinditaftersavingyourfirstSAMLSettingsontheSingleSignOnSettingsscreen.YoucaneithersavethelinktotheXMLsettings(wewillneeditontheADFSserverlater)orstorethewholefileincasethatyourADFSdoesnothaveaninternetconnection.
OntheADFSserver•OpenyourADFSManagementandgotoTrustRelationships/RelyingPartyTrusts•AddRelyingPartyTrust•IntheWizard,youcanimportdatabyenteringthelinkthatyousavedfromourportalorpointtothelocalxmlfilethatyoutransferredtotheserver
•YoucancheckthesettingsbycontinuingtheWizard
9
www.ezeep.com +1-720-253-1400 [email protected]
10
www.ezeep.com +1-720-253-1400 [email protected]
5. Configure Claim RulesWhenauserknocksonourportallogindoorwithaSAMLtoken,weconsiderthetokenandevaluatecertainattributesfromitandusethemaccordingly.Theseattributesneedtoidentifytheuserandtheezeepgroupstheusershouldbeamemberof.Thiswaywecandirectlymakeprintersaccessibletousersbasedonthegroupsandpoliciesthatexistinyourezeepportal.
ClaimRulesareusedtospecifytheseattributesintheSAMLtokens.ClaimRulesmapanattributefromyourActiveDirectoryuserobjecttoakeytheezeepserviceunderstands.Forinstance,youcanchoosewhichattributeyouwanttousetomapyouruserstoezeepgroupssoezeepcanperformtheassignmentautomaticallywhentheuserlogsin.
Ezeepislookingforthefollowingattributes:
Name Outgoing Claim Type Required Description Example
NameID NameID Yes
Needstobeine-mailformat.
WeusetheNameIDto identifyauser.
groupshttp://schemas.microsoft.com/ws/ 2008/06/identity/claims/groups
Requiredforusersto print
The strings in groups will bematchedwiththenamestringsofgroupsthattheadmincreatedinourportal
cortsol.net\DomainUsers
Firstname first_name No,optionalWedisplaythefirstnamesinyourusersviewforyoutosearchforandfilterusers.
John
Lastname last_name No,optionalWedisplaythelastnamesinyourusersviewforyoutosearchforandfilterusers.
McClane
11
www.ezeep.com +1-720-253-1400 [email protected]
AttheendoftheRelyingPartyTrustWizardyoucandirectlyopentheEditClaimRulesdialog.Youwillneedittoconfigureyourusersettingsjustthewayyouwantthem.YoucanalsoopenthedialogwitharightclickonthenewlycreatedRelyingPartyTrustforezeepandclickonEditClaims:
12
www.ezeep.com +1-720-253-1400 [email protected]
5.1 Transform an incoming Claim (Email to NameID)
Thefirstrulesetalwaysmustbetheidentifieraswerequirethisattributetoidentifyauser.Werequiretohaveemailaddressesastheidentifierthatmustbeset.ForthisyoucanusetheClaimruletemplate“TransformanIncomingClaim”
InthetemplatesettheIncomingClaimastheE-MailAddressandtheoutgoingclaimtypeasNameIDwithE-Mailastheformat.Thiswilltakethee-mailaddressattributefromyouruserandmapittoNameIDsothatweknowthatthisistheattributewherewefindtheusersE-Mailaddress:
13
www.ezeep.com +1-720-253-1400 [email protected]
14
www.ezeep.com +1-720-253-1400 [email protected]
5.2 Send LDAP Attributes as Claim (Important for group assignment)
AsanextstepaddanotherClaimruleandchosethe“SendLDAPAttributesasClaims”template:
ThisopensatablewhereyoucanpickyourintendedADattributeontheleftandspecifytheoutgoingclaimontheright.
Yourusersalwaysprintpergrouprulesetsthatyoucansetinourezeepportal.Forustoassignthemtothecorrectgroups,youneedtochoosetheLDAPattributethatyouusefororganizingyourgroupsinyourADandmapthemtotheoutgoingclaimhttp://schemas.microsoft.com/ws/2008/06/identity/claims/groups:
15
www.ezeep.com +1-720-253-1400 [email protected]
16
www.ezeep.com +1-720-253-1400 [email protected]
6. Set up groups in the ezeep PortalIntheezeepportaltheusersareorganizedingroups.Groupshavepoliciesappliedtothem.Policiesdefineaccesstoprintersandprinterfeatures.Forthegroupsandpolicysystemtoworkproperly,theLDAPgroupattributehastocontaingroupinformationintheexactsameformat,theclaimrulesconfiguredinthepreviousstepcommunicates.
Hereareafewexamples:
AD Attribute Name ExampleToken-Groups-QualifiedbyDomainName •cortsol\DomainUsersToken-GroupsasSIDs •S-1-5-21-1206454754-1378802883-1802596162-513Token-Groups-QualifiedbyLongDomainName •cortsol.net\DomainUsersToken-Groups-UnqualifiedNames •DomainUsers
Is-Member-Of-DL •CN=Guests,CN=Builtin,DC=cortsol,DC=net•CN=Users,CN=Builtin,DC=cortsol,DC=net
ItisessentialthatyoucreatetheGroupsintheezeepportalwiththeexactsamestringasitisgoingoutfromyourAD.OurworkflowistoconsidertheSAMLtoken,checktheattribute“groups”andtrytoassigntheuserstotheezeepgroupswiththeexactlysamematchingstringsasnames.Therecanbemultiplegroupsintheattribute,wewilltrytomatchthemallwiththeezeepgroups.Ifwedonotfindthisgroupsetupbyyouinourportal,wewilljustignoreit.
ThischeckisperformedeverytimeauserlogsinwithaSAMLtoken.WemakesurethatwecleantheformergroupsassignedtoauserbeforeassigningthegroupsthatwefindinthenewSAMLtokensothatchangestogroupsareappliedeverytimeauserlogsinwithanewtoken.Thismakessurethatoldgroups,thattheuserwereassignedto,getunassignedwhenwedon’tfindthemintheSAMLtokenanymore.
17
www.ezeep.com +1-720-253-1400 [email protected]
User Sign-OnAfterezeepandthedirectoryservicearelinkedviaSAML,userscansimplygotoportal.ezeep.comandclickon“SigninwithOrgani-zationID”orgodirectlytohttps://accounts.ezeep.com/auth/signin/saml/
TheyneedtoentertheOrganizationIDthatyousetasOrganizationIdentifierintheezeepportal.
18
www.ezeep.com +1-720-253-1400 [email protected]
OncetheyentertheID,theywillberedirectedtothelinkyouprovidedasIdentityProviderLoginURL.
AftersuccessfulauthenticationonyourIdentityProvider,theywillberedirectedtotheportalandcanprintperthegroupsthatyouset up.