You are viewing limited content. For full access, please sign in.

Question

Question

LFDSSTS auto login with AD FS

Directory Server Version 10
Updated February 7
asked on June 22, 2021

I have a customer that has set up AD FS and would like all users from the DMZ server to be forced to use AD FS.  We configured this and it does work, but...

When the user opens the site (Forms or Web Access), they get redirected to LFDSSTS, as expected, and are provided a button to click to log in with AD FS.  Since this is the only option, the customer would like to have it auto redirect to the AD FS page without the user having to click the button.  Is there a way that we can do this?

 

As a side note, the customer is also asking how long the authentication token/session lasts and how and/or where can they manage that time length?

0 0

Answer

SELECTED ANSWER
replied on June 22, 2021 Show version history

Changelog:

Update 7 Feb 2024: Laserfiche Directory Server 11 Update 5 (released 19 Oct 2023) introduced native support for SAML SLO. Documentation: Configuring Single Logout (SLO) with SAML Authentication

Updated 7 July 2021 with instructions on implementing Single Log Out (SLO) with AD FS

_____________________________

Hi Bert,

There are three parts to accomplishing what you're asking about.

Automatically selecting the Federated (AD FS) option on the STS login page:

Note that this works for any federated IdP (SAML) in addition to AD FS.

  1. On the server where STS is installed, open file Explorer and navigate to ".\Program Files\Laserfiche\Directory Server\Web\WebSTS\Views\Home"
  2. Make a backup copy of the "Login.cshtml" file and name it "Login-Original.cshtml" or similar
  3. Open "Login.cshtml" in a text editor of your choice
  4. Find the function called: "function checkAutoLogin()"
  5. Replace it with this modified version, where "IdPNameExactlyAsItAppearsInLFDS" (in LFDS web admin -> Identity Providers) is hopefully self-explanatory. For AD FS, it is the associated AD IdP name you have AD FS enabled for. 
    function checkAutoLogin()
{
	{
		var logoutMarkup = getCookie("lfdsstsLogoutMarkup");
		if (!logoutMarkup)
		{
			login(AuthType.Federation, "IdPNameExactlyAsItAppearsInLFDS")
		}
	}
};
  6. Open the "Embedded.cshtml" file in the same directory and replace the autoLoginFunction there as well.
  7. Recycle the LicenseManagerSTS IIS Application Pool for the change to take effect.

 

[Optional but recommended]
Configure AD FS Single Log Out (SLO)

  1. In AD FS, open the Relying Party Trust for Laserfiche and go to the "Endpoints" tab
  2. Add a new SAML endpoint, with the following properties:
    1. Endpoint type: SAML
    2. Binding: Redirect
    3. Trusted URL: https://your-adfs-endpoint.example.com/adfs/ls/?wa=wsignout1.0
    4. Response URL: https://your-adfs-endpoint.example.com/logout 
    5. Example screenshot:

       
  3. Updated post 7 Feb 2024 noting Laserfiche has native SAML SLO support as of LFDS 11 Update 5. Use that instead of this workaround.
    In the WebSTS Login.cshtml and Embedded.cshtml files described in the section above, replace the checkAutoLogin function with this version that includes both automatic IdP selection and the SLO redirect call. Make sure to update both the IdP name and samlLogoutURL (the "Trusted URL" from the previous step) placeholder values. 
    function checkAutoLogin()
{
	{
		var logoutMarkup = getCookie("lfdsstsLogoutMarkup");
		if (!logoutMarkup)
		{
			login(AuthType.Federation, "IdPNameExactlyAsItAppearsInLFDS")
		}
		else
		{
			var samlLogoutUrl = "https://your-adfs-endpoint.example.com/adfs/ls/?wa=wsignout1.0";
			window.location = samlLogoutUrl;
		}
	}
};
  4. Open the "SignOut.cshtml" in the same directory and find the "setLogoutMarkup" function. This sets the "lfdsstsLogoutMarkup" cookie we use to detect logout vs login. Within it there is a line reading:
    " var lifeTime = 1;"
    Update its value from "1" to "0.2" to change its lifespan from one minute to twelve seconds (0.2 min). With the auto-login plus SLO version of the code, you cannot attempt to log back in until this cookie expires. Twelve seconds should be long enough for even slow browsers/connections.


Configure AD FS to Always Require Authentication

Note: Implementing SLO as described above is at some level a client-side method of achieving a similar security goal. A dedicated attacker can trivially circumvent client-side SLO by blocking the redirect to the SLO endpoint in their browser. The method described below is enforced server-side and should be considered a required complimentary security measure for publicly-accessible sites, and an optional one for intranet-only sites.

Because logging out of LFDS only invalidates the Laserfiche STS token and not the AD FS token, it is important to configure the AD FS Relying Party Trust for Laserfiche to Always Require Authentication. This prevents someone using the same AD FS token to log back into Laserfiche without having to re-authenticate.

For step-by-step instructions, please see my post here:

Laserfiche Answers: Force Reauthentication with AD FS

 

Set the LFDS STS token duration

  1. On the server where STS is installed, open a supported browser and go to https://localhost/LFDSSTS/configuration
  2. Set the "Default session timeout (minutes):" field to the desired duration. The default is 1440 minutes (24 hours)
  3. Click "Update" to save any changes

 

Other relevant settings

  1. Repository: Idle Disconnect (timeout) settings (affects all clients)
  2. Forms: Session idle timeouts (important note: Forms session timeouts trigger logout of all Laserfiche web applications and invalidate a user's current STS token)

 

I'm working on a way to have logging out in Laserfiche also kill the AD FS token (which is a bit more elegant than enabling Always Require Authentication in AD FS) and will update this post if and when I sort that out. Note: Updated post 7 July 2021 with this solution (SLO).

Let me know if that helps and please mark this as the Answer if it addresses your question.

Cheers,
Sam

4 0
replied on July 6, 2021

Note to anyone subscribed to this post that I've added instructions on implementing Single Log Out, which signs a user out of AD FS when they log out of Laserfiche.

0 0
replied on November 9, 2023

Looks like Single Log Out has been implemented out of the box with LFDS 11 Update 5.

1 0

Replies

replied on November 9, 2023

I've had a similar request from a customer who would like to bypass the same page/button press but they are using SAML authentication. Would the same function change achieve the same result?

0 0
replied on November 9, 2023

Yep! We are also looking into adding SAML auto-selection as a feature in a future release (at least a few out, don't wait for it).

1 0
replied on November 13, 2023

Just to confirm, for the "IdPNameExactlyAsItAppearsInLFDS" is this literally the display name of the provider, i.e. "Azure AD" or should it be an address/endpoint?

I tried using the endpoint name and then just the name of the provider ("Azure AD") but it still displays the SAML login button for both web client and Windows client.

0 0
replied on November 13, 2023

The display name of the provider as it appears in the identity Providers list in LFDS Web Admin (/LFDS). I'd recommend copy/pasting it from there.

If for whatever reason that doesn't work, and you only have one Federated (SAML or AD FS) login option, you can also use this parameterized version of the login function call that always selects the first ([0]) option:

login(AuthType.Federation, "@Model.FederationLoginOptions[0].ProviderName");

 

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...