You are viewing limited content. For full access, please sign in.

Question

Question

Only show SAML Logon Options on the LFDSSTS page

Directory Server
Updated October 23, 2020
asked on December 5, 2019 Show version history

Is there a way to show only SAML Login option on the LFDSSTS page? That is if a user goes to the Web Client URL and is redirected to the LFDSTST page for logon, can the option there be limited to (SAML) Azure AD login button only?

 

All the Clients users will be utilizing SAML.

0 0

Answer

APPROVED ANSWER SELECTED ANSWER
replied on December 23, 2019

LFDS 10.4.3 (released with the LF 10.4.2 suite) allows you to hide Laserfiche and Windows authentication via the STS configuration page. This will make your SAML button the only login choice displayed.

1 0
replied on January 6, 2020 Show version history

Does this update also have the same effect as described in the previous answer, specifically #2:
 

2. It makes the Laserfiche Sign Out buttons in Web Client/Forms/etc. functionally not work as long as a user still has a valid Azure AD SAML token, as LFDS will immediately and automatically re-authenticate them. Laserfiche does not have Single Sign Out with SAML providers at this time, so signing out of Laserfiche doesn't invalidate the Azure AD/etc. SAML token.

0 0
replied on January 6, 2020

That effect will not happen when using the approach I described. After signing out you will land back on the sign in page like normal.

Note that if you still have a valid token from the SAML provider and click the SAML sign in button again, you won't be prompted for credentials to log in. (The same problem as in Sam's approach but the button isn't auto-clicked now)

1 0

Replies

replied on December 10, 2019 Show version history

Dec 2019 edit: Laserfiche 10.4.2 (with LFDS 10.4.3) now natively supports hiding the Laserfiche (username/password) and Windows Authentication options. Please see Chase Hill's answer. You still need to implement the change below for SAML auto-login.

----------------------------------------------------------------------

Hi Karim,

You mentioned users will utilize Azure AD SAML logins. In that case, you can update the LFDSSTS login page to automatically select Azure AD. The following approach works for any SAML provider.

  1. Find .\Program Files\Laserfiche\Directory Server\Web\WebSTS\Views\Home\Login.cshtml
  2. Make a backup copy of the file
  3. Open the original and modify the "<body onload>" section as specified in step 4 to call existing login function for SAML (basically auto-clicking the button)
  4. Add the bolded part to the existing function call list, where <Azure AD> is the exact name of the SAML IdP specified in the Identity Providers section of LFDS:

    <body onload="checkSize(); checkConfig(); loadLocalVars(); checkAutoLogin(); login(AuthType.Federation, '<Azure AD>'); checkInputValid(); checkNotifications(); setString(); addListener(); updateCopyRight();">
     
  5. Save the file
  6. Recycle the LFDSSTS IIS application pool
  7. In a new Chrome Incognito window, navigate to a Laserfiche web app integrated with LFDSSTS for auth. It should automatically redirect you to Azure AD. 

 

Please note the following important implications of making this change:

  1. As this is a custom modification to the LFDSSTS login page, it will likely not be preserved after an LFDS upgrade. Easy enough to re-add though. We're looking into adding an native option for this functionality in a future release.
     
  2. It makes the Laserfiche Sign Out buttons in Web Client/Forms/etc. functionally not work as long as a user still has a valid Azure AD SAML token, as LFDS will immediately and automatically re-authenticate them. Laserfiche does not have Single Sign Out with SAML providers at this time, so signing out of Laserfiche doesn't invalidate the Azure AD/etc. SAML token.

 

Good luck and let me know if you have any questions!

Cheers,

Sam

4 0
View 3 previous replies
replied on December 11, 2019

Thank you very much Samuel Carson!

0 0
replied on December 11, 2019

You're welcome! Please write back letting me know if the solution worked for you and mark my response as the Answer if so.

0 0
replied on October 22, 2020

A little late to the party here but the issue with this is that it forces all users to use this. In the app in Azure there is a field for this specifically (Sign On URL) but if you attempt to use the https://url.com/laserfiche it still kicks the user back to the STS site. It looks like maybe this is in how the token is received by LaserFiche? 

0 0
replied on October 22, 2020

Hey Jeremy,

Even if you have a valid SAML token, you need a Laserfiche token to reach the end app. So the end app redirects you to STS to get one, but STS doesn't know which login method you want to use.

0 0
replied on October 22, 2020

That makes sense however LaserFiche is just being compared to other applications that have similar functionality so there must exist someway for the token to either be auto generated or check for the token prior to directing to the STS site. 

0 0
replied on October 23, 2020

There is no way around being redirected to STS. Having STS then automatically log you in to Laserfiche is doable however. This is not functionality we provide currently, so I will file a feature request to our backlog for this.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...