You are viewing limited content. For full access, please sign in.

Question

Question

LFDSSTS auto login with AD FS

Directory Server Version 10
Updated May 22
asked on June 22, 2021

I have a customer that has set up AD FS and would like all users from the DMZ server to be forced to use AD FS.  We configured this and it does work, but...

When the user opens the site (Forms or Web Access), they get redirected to LFDSSTS, as expected, and are provided a button to click to log in with AD FS.  Since this is the only option, the customer would like to have it auto redirect to the AD FS page without the user having to click the button.  Is there a way that we can do this?

 

As a side note, the customer is also asking how long the authentication token/session lasts and how and/or where can they manage that time length?

0 0

Answer

SELECTED ANSWER
replied on June 22, 2021 Show version history

Changelog:

Update May 15, 2025: Added variant of modified checkAutoLogin() function that (a) allows sending users to a specific URL after signing out, and (b) automatically selects the first available federated IDP without having to specify it by name.

Update Feb 7, 2024: Laserfiche Directory Server 11 Update 5 (released 19 Oct 2023) introduced native support for SAML SLO. Documentation: Configuring Single Logout (SLO) with SAML Authentication

Update July 7, 2021: Instructions on implementing Single Log Out (SLO) with AD FS

_____________________________

Hi Bert,

There are three parts to accomplishing what you're asking about.

Automatically selecting the Federated (AD FS) option on the STS login page:

Note that this works for any federated IdP (SAML) in addition to AD FS.

  1. On the server where STS is installed, open file Explorer and navigate to ".\Program Files\Laserfiche\Directory Server\Web\WebSTS\Views\Home"
  2. Make a backup copy of the "Login.cshtml" file and name it "Login-Original.cshtml" or similar
  3. Open "Login.cshtml" in a text editor of your choice
  4. Find the function called: "function checkAutoLogin()"
  5. Replace it with one of these modified versions. 

    Version 1: Explicitly set federated IDP, no logout redirect (goes back to STS login page). "IdPNameExactlyAsItAppearsInLFDS" (in LFDS web admin -> Identity Providers) is hopefully self-explanatory. For AD FS, it is the associated AD IdP name you have AD FS enabled for. 
    function checkAutoLogin()
{
    {
        var logoutMarkup = getCookie("lfdsstsLogoutMarkup");
        if (!logoutMarkup)
        {
            login(AuthType.Federation, "IdPNameExactlyAsItAppearsInLFDS")
        }
    }
};
    Version 2: Dynamically selected federated IDP (picks "first in the list"), redirects to the specified LogoutRedirectURL on logout. Update "https://example.com" with your own URL. 
    function checkAutoLogin()
{
    {
        var logoutMarkup = getCookie("lfdsstsLogoutMarkup");
        var LogoutRedirectURL = "https://example.com/";
        if (!logoutMarkup)
        {
            login(AuthType.Federation, "@Model.FederationLoginOptions[0].ProviderName");
        }
        else 
        {
            window.open(LogoutRedirectURL,"_self")
        }
    }
};
    You can of course swap in the explicit federated IDP version of the login() function parameter if desired. The 
  6. Open the "Embedded.cshtml" file in the same directory and replace the autoLoginFunction there as well.
  7. Recycle the LicenseManagerSTS IIS Application Pool for the change to take effect.

 

[Optional but recommended]
Configure AD FS Single Log Out (SLO)

  1. In AD FS, open the Relying Party Trust for Laserfiche and go to the "Endpoints" tab
  2. Add a new SAML endpoint, with the following properties:
    1. Endpoint type: SAML
    2. Binding: Redirect
    3. Trusted URL: https://your-adfs-endpoint.example.com/adfs/ls/?wa=wsignout1.0
    4. Response URL: https://your-adfs-endpoint.example.com/logout 
    5. Example screenshot:

       
  3. Updated post 7 Feb 2024 noting Laserfiche has native SAML SLO support as of LFDS 11 Update 5. Use that instead of this workaround.
    In the WebSTS Login.cshtml and Embedded.cshtml files described in the section above, replace the checkAutoLogin function with this version that includes both automatic IdP selection and the SLO redirect call. Make sure to update both the IdP name and samlLogoutURL (the "Trusted URL" from the previous step) placeholder values. 
    function checkAutoLogin()
{
	{
		var logoutMarkup = getCookie("lfdsstsLogoutMarkup");
		if (!logoutMarkup)
		{
			login(AuthType.Federation, "IdPNameExactlyAsItAppearsInLFDS")
		}
		else
		{
			var samlLogoutUrl = "https://your-adfs-endpoint.example.com/adfs/ls/?wa=wsignout1.0";
			window.location = samlLogoutUrl;
		}
	}
};
  4. Open the "SignOut.cshtml" in the same directory and find the "setLogoutMarkup" function. This sets the "lfdsstsLogoutMarkup" cookie we use to detect logout vs login. Within it there is a line reading:
    " var lifeTime = 1;"
    Update its value from "1" to "0.2" to change its lifespan from one minute to twelve seconds (0.2 min). With the auto-login plus SLO version of the code, you cannot attempt to log back in until this cookie expires. Twelve seconds should be long enough for even slow browsers/connections.


Configure AD FS to Always Require Authentication

Note: Implementing SLO as described above is at some level a client-side method of achieving a similar security goal. A dedicated attacker can trivially circumvent client-side SLO by blocking the redirect to the SLO endpoint in their browser. The method described below is enforced server-side and should be considered a required complimentary security measure for publicly-accessible sites, and an optional one for intranet-only sites.

Because logging out of LFDS only invalidates the Laserfiche STS token and not the AD FS token, it is important to configure the AD FS Relying Party Trust for Laserfiche to Always Require Authentication. This prevents someone using the same AD FS token to log back into Laserfiche without having to re-authenticate.

For step-by-step instructions, please see my post here:

Laserfiche Answers: Force Reauthentication with AD FS

 

Set the LFDS STS token duration

  1. On the server where STS is installed, open a supported browser and go to https://localhost/LFDSSTS/configuration
  2. Set the "Default session timeout (minutes):" field to the desired duration. The default is 1440 minutes (24 hours)
  3. Click "Update" to save any changes

 

Other relevant settings

  1. Repository: Idle Disconnect (timeout) settings (affects all clients)
  2. Forms: Session idle timeouts (important note: Forms session timeouts trigger logout of all Laserfiche web applications and invalidate a user's current STS token)

 

I'm working on a way to have logging out in Laserfiche also kill the AD FS token (which is a bit more elegant than enabling Always Require Authentication in AD FS) and will update this post if and when I sort that out. Note: Updated post 7 July 2021 with this solution (SLO).

Let me know if that helps and please mark this as the Answer if it addresses your question.

Cheers,
Sam

4 0
View 1 previous reply
replied on July 6, 2021

Note to anyone subscribed to this post that I've added instructions on implementing Single Log Out, which signs a user out of AD FS when they log out of Laserfiche.

0 0
replied on November 9, 2023

Looks like Single Log Out has been implemented out of the box with LFDS 11 Update 5.

1 0
replied on May 19

With the following, should I change the parameter value to 1 if I wanted to select Google as the IdP for automatic login? Does the riodemo.com which is for Active directory domain count?

0 0
replied on May 19

Only "federated" identity providers count - SAML and AD with AD FS enabled.

I don't know for sure how the array index is generated. It's probably the same order as appears in the LFDS list there. If you have multiple federated IDPs, I recommend explicitly declaring the one you want to use for auto-login with:

login(AuthType.Federation, "IdPNameExactlyAsItAppearsInLFDS")
0 0

Replies

replied on November 9, 2023

I've had a similar request from a customer who would like to bypass the same page/button press but they are using SAML authentication. Would the same function change achieve the same result?

0 0
replied on November 9, 2023

Yep! We are also looking into adding SAML auto-selection as a feature in a future release (at least a few out, don't wait for it).

1 0
replied on November 13, 2023

Just to confirm, for the "IdPNameExactlyAsItAppearsInLFDS" is this literally the display name of the provider, i.e. "Azure AD" or should it be an address/endpoint?

I tried using the endpoint name and then just the name of the provider ("Azure AD") but it still displays the SAML login button for both web client and Windows client.

0 0
replied on November 13, 2023

The display name of the provider as it appears in the identity Providers list in LFDS Web Admin (/LFDS). I'd recommend copy/pasting it from there.

If for whatever reason that doesn't work, and you only have one Federated (SAML or AD FS) login option, you can also use this parameterized version of the login function call that always selects the first ([0]) option:

login(AuthType.Federation, "@Model.FederationLoginOptions[0].ProviderName");

 

1 0
replied on May 22

We were able to successfully set up autologin. However, we’ve discovered that some users are not registered with SAML and instead log in using their Laserfiche username and password. With the current configuration, those users are automatically redirected to the SAML IdP login page.

Is there a URL or method that would allow these users to be directed to the default LFDSSTS login page instead, rather than being immediately redirected to the IdP?

0 0
replied on May 22

Not that I've been able to think of. This has come up before and we weren't able to identify a method that would work.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...