You are viewing limited content. For full access, please sign in.

Question

Question

SAML User Type for Laserfiche Client Login

Security
Updated June 3, 2022
asked on June 1, 2022

Hi everyone!  First time poster.

We're trying to implement SAML authentication into our Laserfiche environment. The SAML process is all working properly with authentication from Azure AD with proper configuration in LFDS. We're not proxying windows users or anything like that; the users are being added as SAML users in LFDS.

The problem is the authorization into Laserfiche applications. How do I add a SAML user to it?  Is that user a Laserfiche user?  It's not a windows or repository user. It's not clear in the docs I've read what needs to happen but I could be missing something.

If it's a Laserfiche user, I've tried to enter the same usernames but after authentication through STS the error returned is "Access denied. [9013]".

Thanks!

0 0

Answer

SELECTED ANSWER
replied on June 1, 2022

Hi! Welcome!

In the Laserfiche Admin Console, under Users and Groups, you should be able to see a node labeled Laserfiche Directory Accounts. You would want to add the users there and set them to trusted to log into the repository.

Unlike repository users who are inherently tied to the repository they're created in, Windows accounts and Laserfiche Directory accounts need to also be authorized to log into a given repository. You can do so by trusting them for login directly or through a group they belong to.

See this documentation page for more info.

2 0

Replies

replied on June 3, 2022

Hi Miruna!  Thanks for answering my question.

Turns out I had other issues going on but your answer helped me eliminate the possibilities.  Here are other tips in case someone comes across this question:

1.) The Unique Attribute on the SAML user must match the user value coming out of the SAML IdP. With Azure AD, the Laserfiche white paper mentions using the onmicrosoft.com version of the account but that doesn't work if that's not what's in the SSO response to Laserfiche. I used chrome dev tools and the xml decoder websites to inspect the actual SAML response and see what is in the payload for the user's unique login attribute.

2.) The SAML user has to be created in LFDS first, and then create the Laserfiche user in the Laserfiche Admin Console or Administration of the Web Client. Even if the username's match, the accounts don't line up since Laserfiche is probably saving a uniqueidentifier from LFDS that won't be right if you're trying to line up usernames with existing accounts.

Thanks!

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...