You are viewing limited content. For full access, please sign in.

Discussion

Discussion

Active Directory Federation Services does not seem to have Federated IDs for User Accounts

Laserfiche Cloud Administration
Updated August 11, 2022
posted on August 8, 2022

It was brought to my attention that AD FS does not appear to have a Federated ID associated with a user account and I did a quick Google search myself to see if any articles were discussing a federated id in context to AD FS users. It doesn't seem like a thing.

So how would we fill out this box when enabling Single Sign-On for AD FS idenitity providers?

0 0
replied on August 8, 2022

Chad, you've gotta include more details on what interface(s) and versions you're talking about when you ask questions like this. I checked both my self-hosted LF 11 and LF Cloud systems with AD FS auth successfully configured and didn't see a "Federated ID" field" on either of them.

0 0
View 7 previous replies
replied on August 9, 2022
0 0
replied on August 9, 2022

Oh, I was looking at the identity provider configuration interfaces. I'm 99% sure "Federated ID" is a generic term for the NameID (or alternative User Identifying Attribute if so configured) value the SAML provider is sending over for that user. For AD FS, it's likely (but not necessarily) their UPN.

https://doc.laserfiche.com/laserfiche.documentation/en-us/Default.htm#Configure%20Advanced%20SSO%C2%A0options%20in%20Laserfiche%20Cloud.htm

0 0
replied on August 9, 2022

Ok, I am having them try this. If this is the case, where there are 2 terms that mean the same thing, the field title of Federated ID / UPN would be more clear.

0 0
replied on August 11, 2022

Chad,

The value to enter for the Federated ID will depend on what the User identifying attribute selection at the bottom of the advanced options (In Laserfiche > Account Administration > Settings > Single Sign-On). By default it's set to use the NameID that is getting passed in, not the UPN, but in the Laserfiche Cloud help files (near the very bottom) it specifies how to customize this to use the UPN (I don't understand the reasoning of putting this at the bottom of the advanced options page. It should really be on a "AD FS" page under the "Configure Single Sign-On for Identity Providers" section which has provider-specific details like this for the other providers).

 

2 0
replied on August 11, 2022

Chad, the Cloud identity provider config page is best understood as a generic SAML configuration interface. AD FS is simply one of many SAML providers. UPN is an attribute/concept specific to Active Directory, so the many SAML providers that aren't backed by AD don't even have it.

If we made the field label "Federated ID / UPN" we'd get tons of support cases about people not being able to find/configure a UPN attribute for non-AD-backed SAML providers and thinking UPN was required.

As Robert noted, "Federated ID" is a generic term for whatever value you're sending under the User Identifying Attribute (by default NameID, otherwise whatever alternative attribute you choose, like UPN).

I'll see if we can at least make this more clear in the documentation.

1 0
replied on August 11, 2022

I understand that SAML is a protocol that many service providers use, my concern is in the use of terminology. If we call an apple an orange, we are going to cause mass confusion.

The reason standardized protocols exist is to define a set of terms and instructions which service providers can agree upon.

The feedback that I am getting is that Federated ID is not a SAML term for a field value, and that when hooking up to other Cloud providers, no one asks them for a Federated ID.

There is something called "Federated Identity" as a concept (similar to SSO) but it does not appear to be a value. I can't verify this as I have no access to a SAML based software, but it seems to be true from a Google search.

0 0
replied on August 11, 2022

They got the UPN advanced setting in there properly mentioend under advanced for AD FS systems.


There are no attribute instructions for AD FS, only for Okta, Azure AD, and Ameritrade. So I guess that tab is skippable.

0 0
replied on August 11, 2022 Show version history

The SAML spec doesn't have a term for "the attribute the Service Provider uses as the primary key to identify users" because that logic happens entirely within the application after the entire SAML 2.0 exchange is complete.

In practice, it's usually the defined SAML attribute "NameID", which is why Laserfiche Cloud's "User identifying attribute" setting defaults to "NameID".

We're not calling an apple an orange. We're using an umbrella term called "Your Chosen Fruit". To make another analogy, "Federated ID" is like "The name field on your government issued ID" vs "Name field on your driver's license" or "Name field on your passport". 

While not explicitly defined in a formal specification, here's one straight from Wikipedia

federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.

The "Federated ID" for a user authenticating through a Federated Identity Provider (via SAML) to Laserfiche Cloud is the specific value in the SAML token used to link a SAML login to the corresponding user account in Laserfiche Cloud. I believe our contextual usage of Federated ID is close enough to this widely accepted general definition, especially since it appears in the Laserfiche Cloud User attributes interface.

Would a tooltip on the "Federated ID" field reading something like this address your confusion and concerns?

"The value of the 'User Identifying Attribute' as configured in the Single Sign-On settings. By default, this is the user's NameID value. SAML Identity Providers backed by Active Directory sometime use UPN instead of NameID." 

0 0
replied on August 11, 2022 Show version history

Seems clear to me after reading what you just wrote, that the Federeated ID needs to be what you have configured in your user identifying attribute, but how do you get that from this?

It askes me to enter a Federated ID and simply says that it can be found on the page (website/app) of my identity provider. How would I have ever known that I am looking for another value configured somewhere else. This was not obvious at all until I read what you just wrote.

The tooltip might help, but lets be clear here that this is asking for information depending on how you configured your Idenitfying Attribute. This way I know to look at that configuration, it says something like UPN, and now when I am on my identity provider page, I can look for a UPN.

0 0
replied on August 11, 2022

Ah fair enough that that's misleading wording. It's... sort of an incomplete sentence. Writing it out comprehensively would yield something like:
"... This is the attribute value passed as the "User identifying attribute" for your federated identity provider in the Laserfiche Cloud Account Administration -> Settings -> Single Sign-on -> Identity Provider -> General Advanced Options interface."

I have a hunch "identity provider's page" was intended to refer to the LF Cloud config page above, not something on the SAML provider side. I'll see if we can get that line in the documentation clarified.

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...