SAML Single Sign On Manual Configuration

MyWorkDrive SAML Manual Configuration Overview

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, specifically – between an identity provider and a service provider. As its name implies, SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions).

MyWorkDrive Server 5.0 supports SAML based Web File Manager Single Sign On (SSO) in addition to ADFS (which is configured separately). For SAML, MyWorkDrive acts as a Service Provider (SP) while the partner acts as the identity provider (IdP) for example: Shibboleth, OneLogin, Centrify, Azure AD, OKTA, etc.

Preconfigured SAML Setup Guides

Several SAML providers are preconfigured in MyWorkDrive and use a simplified setup process. Please visit the following articles for setup of Azure AD, Okta and OneLogin. It is not necessary nor recommended to manually configure MyWorkDrive for these providers.

Azure AD SAML

OKTA SAML

OneLogin SAML

Manual SAML Prerequisites

• Ensure users have a upn suffix applied for domain name to match SAML Provider Login name so they can login to your MyWorkDrive server with their email address.
• Ensure the MyWorkDrive server is trusted for delegation as per our Delegation Article
• Make your server available via Cloud Web Connector or setup your own public SSL Certificate and Hostname pointing to your MyWorkDrive Server over port 443 (SSL) and ensure your server is publicly accessible. View Support Article.

Login Flow

 

The following explains the user login flow to MyWorkDrive from an identity provider (IdP):

 

• It is assumed all users are logging into the ldP using their UPN Suffix (eg @yourdomain.com) and it matches their Active Directory username UPN.
• Your MyWorkDrive server is using your own host name and SSL Certificate (*.MyWorkDrive.net is not supported for SAML).
• The user clicks the MyWorkDrive assertion consumer service URL (eg. https://YourMWDserver.yourdomain.com/SAML/AssertionConsumerService.aspx) as the single sign-on URL.
• If the user is not already logged into the ldP the MyWorkDrive server redirects the user to the SSL service to sign-in.
• Once confirmed the IdP service generates a valid SAML response and redirects the user back to MyWorkdrive to verify the SAML response.
• If the user authentication is successfully validated, they are automatically logged into their companies MyWorkDrive Web File Manager.

SAML SSL MyWorkDrive Server Configuration Steps

 

To successfully configure SAML on MyWorkDrive server the following manual steps are necessary:

IdP Service Configuration

If your IdP will import settings from meta data, you can use the MyWorkDrive metadata link from your server at https://YourMWDserver.yourdomain.com/SAML/ServiceProviderMetadata

• Create a SAML configuration at the IdP referencing the MyWorkDrive:
• Specify the assertion consumer service URL (e.g. https://YourMWDserver.yourdomain.com/SAML/AssertionConsumerService.aspx) as the single sign-on URL.
• Specify the Audience URI (SP Entity ID) – enter “MyWorkDrive” as the audience URI.
• Specify the single logout service URL (eg https://YourMWDServer.yourdomain.com/SAML/SLOService.aspx) as the logout URL.
• Specify the SP Issuer. This is the local service provider name – Enter “MyWorkDrive”.
• Download the ldP certificate and place in C:\Wanpath\WanPath.Data\Settings\Certificates

MyWorkDrive Server Configuration

1. Update the SAML config located in C:\Wanpath\WanPath.Data\Settings to un-comment out the <PartnerIdentityProvider> entry for your IdP. If an entry is not present for your IdP you may use the MWD Example.
2. Local Certificate File. This step should be completed for you in MyWorkDrive server version 5.2 and above and a certificate should be present in the folder with the password in the saml.config file. If it is not, proceed to Export your public SSL Certificate matching your MyWorkDrive host name as referenced in your IdP with a password and place the SL Certificate PFX export file into C:\Wanpath\WanPath.Data\Settings\Certificates and reference it in the service provider section with the password you used during the export.
3. In the identity provider section: Set the Name to the identity provider issuer. This value is also known as the metadata entityID.
4. In the Identity provider section: Set the SingleSignOnServiceUrl to the identity provider single sign-on URL.
5. In the Identity provider section: Set the SingleLogoutServiceUrl to the identity provider single logout URL.
6. Update the identity provider PartnerCertificateFile section with the complete path and name of the identity providers certificate file.

The partner identity provider configuration section should be similar to the following saml.conf

<!– Okta –>

<PartnerIdentityProvider Name=” http://www.okta.com/exkxxxxxxsyyyyyzzzz55″

Description=”Okta”

SignAuthnRequest=”true”

SignLogoutRequest=”true”

SignLogoutResponse=”true”

WantLogoutRequestSigned=”true”

WantLogoutResponseSigned=”true”

SingleSignOnServiceUrl=”https://yourcompany.okta.com/app/yourcompany_mwdserver1_1/exkxxxxxyyyy555/sso/saml”

SingleLogoutServiceUrl=”https://yourcompany.okta.com/app/yourcompany_mwdtest1_1/exkrcdasxxxxxxyyyyy55/slo/saml”

PartnerCertificateFile=”C:\Wanpath\WanPath.Data\Settings\Certificates\okta.cer”/>

 

The Service provider section configuration should be similar to the following saml.conf

 

<ServiceProvider Name=”MyWorkDrive”

Description=”MWD Service Provider” AssertionConsumerServiceUrl=”~/SAML/AssertionConsumerService.aspx” LocalCertificateFile=”C:\Wanpath\WanPath.Data\Settings\Certificates\yourdomain.pfx”

LocalCertificatePassword=”password”/>

 

Finally, before you test, make sure you have added some users to your new MyWorkDrive entry in your IdP to authornize them to access MyWorkDrive. To test SAML without making it required after enabling it, use the following URL: http://yourserver.yourdomain.com/account/login-saml.aspx