SAML Single Sign On Configuration – Azure AD

MyWorkDrive Azure AD SAML Overview

MyWorkDrive Server 5.0 supports SAML based Web File Manager Single Sign On (SSO) in addition to ADFS (which is configured separately).   For SAML, MyWorkDrive acts as a Service Provider (SP) while the Azure AD acts as the identity provider (IdP).   In a typical scenario customers sync their Active Directory Credentials to Azure AD.  User logins are set to use the same upn suffix to login to Active Directory as they do in Azure AD (in most cases this is the companies Office 365 Subscription).

This document provides streamlined MyWorkDrive integration with Azure Active Directory starting with version 5.1.  For version 5.0 or to manually configure SAML view our manual SAML configuration article here

MyWorkDrive Azure AD SAML Setup

MyWorkDrive is listed an approved enterprise application in Azure AD – Information link :

https://azuremarketplace.microsoft.com/marketplace/apps/aad.myworkdrive?tab=Overview

Review the instructions in Microsoft’s tutorial and information links here:

Tutorial:   https://docs.microsoft.com/azure/active-directory/saas-apps/myworkdrive-tutorial

Note our instructions below are streamlined and starting with MyWorkDrive Server version 5.1 we can simply input the “App Federation Signing Certificate Metadata” URL from the Azure AD portal to automatically configure MyWorkDrive for Azure AD SAML Single sign-on.

Prerequisites

• Ensure users have a upn suffix applied for domain name to match Azure AD Login name so they can login to your MyWorkDrive server with their email address (most companies sync their Active Directory to the same Azure AD directory that the use to login to Office 365).
• Ensure the MyWorkDrive server is trusted for delegation as per our Delegation Article
• Setup your own public SSL Certificate and Hostname pointing to your MyWorkDrive Server over port 443 (SSL) (using our *.myworkdrive.net domain is not supported) and ensure your server is publicly accessible.  View Support Article.

Setup Steps

• Login to portal.azure.com as admin and connect to Azure AD Domain (if you are using Office 365 this is the same account you use to login to portal.office.com).
• Click on Azure Active Directory, Enterprise Applications – New Application – Search for “MyWorkDrive” – Add MyWorkDrive as an Enterprise App.

• Click Single sign-on
• Enter your reply URL – this will be your host name followed by /SAML/AssertionConsumerService.aspx for example: https://yourserver.yourdomain.com/SAML/AssertionConsumerService.aspx
• Optionally enter your sign-on URL if users will be logging on to MyWorkDrive directly (instead of accessing through myapps.microsoft.com portal) with your host name followed by:/Account/login-saml  for example:  https://yourserver.yourdomain.com/Account/login-saml
• Accept the default Entity ID of “MyWorkDrive” (This only needs to be changed if you have multiple MyWorkDrive Servers setup in your Azure AD configured Manually).
• Copy the App Federation Signing Certificate Metadata URL (under section 4) to the clipboard.

• On the MyWorkDrive Server in the admin panel, Enterprise Section, Enable ADFS/SAML, Choose SAML Azure AD and paste in the Azure App Federation Metadata URL. Click Save.  This will automatically pull down the Azure AD SSL Certificate for you.

• Assign a user or group in Azure Active Directory portal to the new MyWorkDrive App (Enterprise applications – All applications – MyWorkDrive – Single sign-on -SAML-based sign-on) users and groups.  Note Domain Users groups do not sync to Azure AD by default.

Test Access from Azure

After assigning to a test user.   Browse to https://myapps.microsoft.com.

Alternatively, browse to the Azure user access URL specified in the application properties for direct access to the application e.g. https://yourserver.yourdownload/account/login-saml or click all my applications under portal.office.com

Login to Azure AD.

Select the MyWorkDrive application.

The user is automatically logged into your MyWorkDrive browser Web File Manager.

SAML Logout

Azure Active Directory doesn’t support SAML logout.

SP-initiated SLO, where a SAML logout request is sent to Azure AD, doesn’t cause a logout response to be returned. Instead, Azure AD displays a message indicating the user is logged out and that the browser windows should be closed.

Logout from Azure AD doesn’t cause a logout request to be sent to the service provider. Azure AD doesn’t support configuring a SAML logout service URL for the service provider.

Troubleshooting

• Ensure you are using a browser for testing in-private or incognito to eliminate any caching issues
• Double check that user is able to login without SAML and they are using an email address that matches their UPN in Active Directory
• User receives error: The signed in user [email protected] is not assigned a role for the application – as per setup notes above: Assign a user or group they are a member of in Azure Active Directory portal to the new MyWorkDrive App (Enterprise applications – All applications – MyWorkDrive – Single sign-on -SAML-based sign-on) users and groups.
• Ensure the MyWorkDrive server is trusted for delegation as per our Delegation Article