You are viewing limited content. For full access, please sign in.

Question

Question

Utility to Transfer Feature Rights, Access Rights, and Privileges from Domain Accounts to Shibboleth Accounts

Security
Updated July 21, 2020
asked on June 28, 2019

Is there a utility similar to this one (which converts Laserfiche to Domain Accounts) but for converting Domain Accounts to Shibboleth Accounts?  If not, what is the fastest way to bring the rights over?  Does it have to be a manual process?  Thank you!

0 0

Answers

APPROVED ANSWER
replied on December 9, 2019 Show version history

The upcoming release of directory server (part of Laserfiche 10.4.2; Directory Server itself is on 10.4.3) can support AD users authenticating through SAML, with the above requirement: the AD SID must be included in the SAML token for AD users.

I'd love to hear how the feature works out for you!

0 0
SELECTED ANSWER
replied on July 16, 2019

You are correct: you would be able to keep your existing Windows accounts but use Shibboleth to authenticate.

Rather than creating new Shibboleth users and tying the existing users to each new Shibboleth user (like the named user + Windows account link), the mapping will be at the identity provide level.

That is, within the SAML provider settings, you select which Windows Identity providers will use that SAML provider to authenticate. 

To make this work, you must ensure that information that can properly identify the Windows user and their Windows groups are present on the SAML token provided by Shibboleth, either as an AD SID or DN.

0 0

Replies

replied on July 2, 2019

We are currently working on a feature that will support SAML authentication for domain accounts, as long as the SAML tokens contain either the Active Directory SID or the users DN (distinguished name).

Would the ability to authenticate your existing (and future) directory users through Shibboleth address your need?

0 0
replied on July 3, 2019

Thanks Brianna!

Just to confirm, we'd be able to keep our existing Windows Accounts but use Shibboleth to authenticate?  Would it work similar to how we can tie a Windows Account to a Laserfiche Named User but use Windows Authentication to authenticate?

If so, that would address our need.  

0 0
View 7 previous replies
SELECTED ANSWER
replied on July 16, 2019

You are correct: you would be able to keep your existing Windows accounts but use Shibboleth to authenticate.

Rather than creating new Shibboleth users and tying the existing users to each new Shibboleth user (like the named user + Windows account link), the mapping will be at the identity provide level.

That is, within the SAML provider settings, you select which Windows Identity providers will use that SAML provider to authenticate. 

To make this work, you must ensure that information that can properly identify the Windows user and their Windows groups are present on the SAML token provided by Shibboleth, either as an AD SID or DN.

0 0
replied on July 24, 2019

The customer does not have SIDs.  They do have DNs but it's not the same as the DNs in their Active Directory.  I'm assuming that won't work then?

Not sure if this will help but the Shibboleth usernames are an exact match to the AD username.

Thanks Brianna!

0 0
replied on July 24, 2019

You're correct: if they DNs don't match the DN in AD, then they will not be able to use the DN for mapping. Unfortunately, it sounds like you would be unable to use this feature without making changes to Shibboleth.

It's not common for AD SIDs to be included in the token by default, but if Shibboleth is backed by Active Directory it should be possible to add them.

At this time, we don't have a conversion utility for AD users to SAML users. I have added this post to the internal feature request.

0 0
replied on July 25, 2019 Show version history

Thanks Brianna!  Sorry, one more question.  Is there an estimated timeframe for this new feature?  The customer has a hard deadline for the end of the year to get Shibboleth up and running with Laserfiche.  We're trying to figure out whether we should just bite the bullet and manually configure all the new Shibboleth users or wait for this new feature.

0 0
replied on September 26, 2019

Sorry for the long delay in response! The new feature to authenticate AD users through SAML providers if they have their AD SID on the token is targeted for release around end of November/early December, which may be cutting it close for your project.

0 0
replied on December 4, 2019

Hi Brianna-

We are excited for this feature, did it make it into the 10.4.2 directory server release or is coming later?

Thanks for your work on this! 

0 0
APPROVED ANSWER
replied on December 9, 2019 Show version history

The upcoming release of directory server (part of Laserfiche 10.4.2; Directory Server itself is on 10.4.3) can support AD users authenticating through SAML, with the above requirement: the AD SID must be included in the SAML token for AD users.

I'd love to hear how the feature works out for you!

0 0
replied on December 9, 2019

Fantastic, thanks! We'll get it installed as soon as it is released!

0 0
replied on July 16, 2020

Hi Brianna-

We got around to upgrading to Directory Server 10.4.4 today, we can confirm this feature works as expected. Thank you to you and the team for making this a reality!

3 0
replied on July 21, 2020

It's great to hear confirmation that it worked for you --- thank you!

0 0
replied on July 9, 2019

Any update on this, Brianna?  Thanks!

0 0
replied on September 23, 2019

Hello, I was curious if there was an update on when this will be released?

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...