You are viewing limited content. For full access, please sign in.

Question

Question

Configure SAML Default Landing Page

Version 10 Laserfiche Directory Server
Updated April 30, 2019
asked on April 24, 2019 Show version history

We have configured OKTA as our SAML provider and if I don't put in a Default Landing page I get the following error. (LFDS 10.3.1)

 

 

However if I enter one in the 'Default Landing Page' which is my STS formatted as

 

https://hostname.domain.com/LFDSSTS/ I get a blank page.

 

I was following another answer that mentioned if the SAML provider has a RelayState, that it is not needed.

 

Why is the page blank if I set it according to the message above, and how to fix it?

 

The screenshot below is from OKTA, and it indicates that in most cases the Default RelayState is blank.

 

Any suggestions?

 

0 0

Replies

replied on April 26, 2019

I updated the RelayState on OKTA to our Test Laserfiche environment and it is working now.

 

So I will setup a 2nd SAML SSO url for Prod and configure another identity provider for our Production Laserfiche environment.

 

If this is not how to do it, please advise.

 

Thanks in advance

 

 

0 0
replied on April 30, 2019 Show version history

Default RelayState is necessary if the user enters the Laserfiche SSO page (the STS) without a destination. 

For example, if you navigate directly to the STS, there is no destination; on the other hand, if you click on a link to a form or document and then are redirected to the SSO page, you DO have a destination.

If end users are always signing in after attempting to access a Laserfiche application, then the RelayState default is really only useful to admins performing testing.

RelayState is information on the destination that is carried along during the SSO process, including during SAML authentication. as such, if you didn't have a destination when the SSO process started, the default RelayState will be added.

 

Note that LFDS-side configuration also has a default RelayState; I'm not sure how the Okta setting behaves, but setting them both is likely redundant. The primary use of the LFDS- side setting is to handle SAML providers that do not pass the RelayState through.

0 0
replied on April 30, 2019

Hi Brianna,

 

I understand to a degree, but if I set the ReplayState to just https://hostname.domain.com/Laserfiche, than it works when I select the OKTA icon but it does log me into the default repository, but my main concerns is what will a user who doesn't have access to the default repository experience, unless I just give them a direct link to the repository.

 However, when the user logs out and uses the SAML option that they won't get an error because they don't have access to the default repository?

 

Just trying to understand how this works so we can use SSO internally and the Laserfiche App as well with SSO.

 

Any information that you can provide is appreciated in advance.

 

Thanks,

0 0
replied on April 30, 2019

The way the system is built now assumes that users are going to a repository that they have access to, whether by bookmark or clicking a link.

We have received a few related requests now, so I have filed a feature request to handle this case better and linked it back here.

Can you tell me more about how you expect users to navigate to the repository? E.g., click a link on a company portal; click a link in an email; type in https://yourmachinename.com/laserfiche...?

 

For now, you have a few options to make sure end users get where they need to go:

  • Ensure that the default repository is one all users have access to, and let them select their repository from the repository picker. They won't have to reauthenticate.
  • For the web client: turn off the option to "always use SSO"
    • Users will be redirected to the web client login page if they don't have access to a specific repository
    • From there, they can use the repository selector to chose their desired repository, then click "Sign in using Laserfiche Directory Server". If they have access to this other repository, they won't be prompted for login again
  • Ensure that whatever links  users are provided specify the repository
  • If you prefer a single link to "Laserfiche" as your starting point, create your own landing page for where users go after SSO
    • Include links/a selector for different repositories
    • Make your Laserfiche link go straight to the SSO page so users don't have a relay state
    • Put your custom site as the default relay state
0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...