Quick Fields 11 - LFDS Authentication URL

asked on April 8, 2022 • Show version history

In Quick Fields 11, much like other Laserfiche 11 Desktop Applications, there is the added ability to login utilizing LFDS SSO (LFDSSTS). My question is, where is it pulling the URL from that it tries to reach the LFDSSTS at?

My assumption is that it's pulling it from the LF Server license, which gives the LFDS Server location (server name), and it's simply appending "/LFDSSTS" to that and looking for the LFDSSTS site on that server.

This is an issue, however, if the LFDSSTS is installed on a different machine than the LFDS Server (which is a supported configuration).

We had the same issue with the Windows Client, but we were able to override that with a registry key:

HKEY_CURRENT_USER\Software\Laserfiche\Client8\Profile\Settings:
LFDSSTSUrl = <URL>

My next question is, are we able to override where a Quick Fields session is looking for the LFDSSTS with the URL we need it to reach?

(gets the 404 error because it's looking for the LFDSSTS on the LFDS Server, but it's not there, it's installed on a different server)

How do I tell Quick Fields to look somewhere else for the LFDSSTS?

0 0

replied on April 12, 2022 • Show version history

Hi Dustin,

You are right, by default Quick Fields will get the LFDSSTS URL from Laserfiche Server which is generated based on the LFDS Server information from the license file. Quick Fields 11 was supposed to support override the default LFDSSTS URL from Laserfiche Server with following registry value:

Registry key: HKEY_CURRENT_USER\Software\Laserfiche\Client8\Profile\{repositoryname}Settings
Registry value: LFDSSTSUrl

But there is a bug in Quick Fields 11 that after adding such registry value, the LFDS tab no longer appears.

Can you share with us your use case of install LFDS and LFDSSTS on separate machines? Are you able use repository username/password to authenticate for the repository for Quick Fields as workaround?

3 0

View 1 previous reply

replied on April 12, 2022

Xiuhong,

Thanks for the response! I did attempt putting the registry key in-place that you referenced, and I observed the same bug behavior (the LFDS tab/option disappeared entirely).

The use-case is...

We have LFDS and the Repository on an "App Server" and the Web Applications (i.e. Forms, Web Client, WebLink, Mobile, LFDSSTS, etc.) on a "Web Server". The Web Server is exposed for access from the client machines, but we are not exposing the App Server for direct access, for added security; also, the Web Server has a custom URL, other than the server name, and we don't have that on the App Server:

For example:

https://MyServerName.domain.com/<Application> (server name)

https://MyLF-URL.ssl-domain.com/<Application> (custom URL)

The users are given ONLY the custom URL, and access the repository through web applications. Thus, we have installed the LFDSSTS on the Web Server, rather than redirecting to the App Server for authentication.

The users are all SAML users, authenticating through Azure AD as the identity provider, and leveraging the MFA. Thus, it requires the use of SSO for them to login.

We did try to setup a Laserfiche Account (LFDS username/password), so that MFA could still be leveraged, but typing that into the username/password field in Quick Fields doesn't work as expected; it seems using LFDS accounts is going to require the use of LFDSSTS (expected).

We don't want to setup repository accounts for a few reasons:

1) We want users to maintain the SSO functionality with their Azure AD account. Several different users will be utilizing Quick Fields, and we want them each to use their own, individual account.

2) We want to maintain the MFA requirement, from a security best practices perspective

3) We want a single exposed URL (Web Server) and all applications to leverage that (to include the LFDSSTS)

Let me know if that makes sense, and if you need any additional information from me.

2 0

APPROVED ANSWER SELECTED ANSWER

replied on April 15, 2022

Hi Dustin,

Thanks for the detail explanation for the user case, we fully understand it now. Regard of the bug for Quick Fields, we are planning to release an update for Quick Fields 11 in May or June with fixes for bugs reported by customers, we will include this one as well.

For "We did try to setup a Laserfiche Account (LFDS username/password), so that MFA could still be leveraged, but typing that into the username/password field in Quick Fields doesn't work as expected; " this part, did you add the Laserfiche Account from LFDS under the "Laserfiche Directory Accounts" section for the repository?

I checked that if I add the Laserfiche user from LFDS in the repository and make sure the MFA status for the user is not required, then I can login with this Laserfiche user in Quick Fields with username and password.

0 0

replied on April 15, 2022 • Show version history

Xiuhong,

Thanks for the update, and we'll look for that bug fix in the May/June update!

I did add the Laserfiche User from LFDS in the repository, with the authentication set to "Trusted", but I received the "Username or password not found" error.

I did not set the MFA level to "Not Required" in LFDS though; it was likely set to the default of "Inherited".

0 0

replied on April 15, 2022

Xiuhong,

I tested and verified that if I set the MFA status to "Not Required" for the Laserfiche User in LFDS, I'm able to login to Quick Fields with that username/password. Thanks for the guidance there!

I'll be looking for the bug fix in the next update so we can leverage SAML authentication for Quick Fields with MFA and/or Laserfiche Users with MFA enabled (using the LFDSSTS SSO).

Thanks again,

Dustin

2 0

Question

Question

Quick Fields 11 - LFDS Authentication URL

Answer

Replies

Sign in to reply to this post.