We have a client who uses Laserfiche Cloud and users are configured via AD FS. They need to transition all of their users from using AD FS to SAML with AzureAD. All of the users have been added and assigned to groups in AzureAD. They just need to move their SAML from AD Federated services to AzureAD. Is there any guidance Laserfiche can provide on how to accomplish this?
Question
Question
Answer
I assume you know how to Configure Single Sign-On with Azure Active Directory (AD) generally and are specifically asking about the transition aspect.
You can't have both configured at the same time, so make sure you have the AD FS configuration "backed up" somewhere in case you need to revert to it.
The most important thing is to ensure that the same value for FederatedID gets passed. By default, this is the SAML NameID. You can also specify a custom user identifying attribute. See: Configure Advanced SSO options in Laserfiche Cloud.
The FederatedID is value used to map the SAML response to the Laserfiche Cloud user with an exact string match.
Next, make sure your Attribute Mappings are similarly aligned and that Azure AD is sending the same (relevant) values as AD FS.
The Group claim is especially important here. Do NOT assume that all relevant groups are being synchronized from on-prem AD to Azure AD (if on-prem AD groups are used for Federated Group mapping).