SAML Single Sign On Manual Configuration
MyWorkDrive SAML Manual Configuration Overview
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, specifically – between an identity provider and a service provider. As its name implies, SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions).
MyWorkDrive Server 5.0 supports SAML based Web File Manager Single Sign On (SSO) in addition to ADFS (which is configured separately). For SAML, MyWorkDrive acts as a Service Provider (SP) while the partner acts as the identity provider (IdP) for example: Shibboleth, OneLogin, Centrify, Azure AD, OKTA, etc.
Preconfigured SAML Setup Guides
Several SAML providers are preconfigured in MyWorkDrive and use a simplified setup process. Please visit the following articles for setup of Azure AD, Okta and OneLogin. It is not necessary nor recommended to manually configure MyWorkDrive for these providers.
Manual SAML Prerequisites
- Ensure users have a upn suffix applied for domain name to match SAML Provider Login name so they can login to your MyWorkDrive server with their email address.
- Ensure the MyWorkDrive server is trusted for delegation as per our Delegation Article
- Setup your own public SSL Certificate and Hostname pointing to your MyWorkDrive Server over port 443 (SSL) (using our *.myworkdrive.net domain is not supported) and ensure your server is publicly accessible. View Support Article.
The following explains the user login flow to MyWorkDrive from an identity provider (IdP):
- It is assumed all users are logging into the ldP using their UPN Suffix (eg @yourdomain.com) and it matches their Active Directory username UPN.
- Your MyWorkDrive server is using your own host name and SSL Certificate (*.MyWorkDrive.net is not supported for SAML).
- The user clicks the MyWorkDrive assertion consumer service URL (eg. https://YourMWDserver.yourdomain.com/SAML/AssertionConsumerService.aspx) as the single sign-on URL.
- If the user is not already logged into the ldP the MyWorkDrive server redirects the user to the SSL service to sign-in.
- Once confirmed the IdP service generates a valid SAML response and redirects the user back to MyWorkdrive to verify the SAML response.
- If the user authentication is successfully validated, they are automatically logged into their companies MyWorkDrive Web File Manager.