You are viewing limited content. For full access, please sign in.

Question

Question

Linking multiple SAML identity providers through common username

Directory Server Security Licensing
Updated December 7, 2023
asked on November 30, 2023

We currently have 2 SAML providers (In-house IdP and Azure AD). We'd like to take advantage of the SCIM 2.0 functionality, which is supported only through our Azure AD environment. SCIM is not supported in our in-house IdP at the moment.

All of our users are currently linked to our in-house IdP through the Accounts screen in LFDS.

Both SAML providers share the same information in terms of username (ex. Username in Azure AD will be 123456, and In-House IdP would be 123456 as well). I thought I was going to be a genius by being able to link both Identity Providers within LFDS, but turns out I was wrong. You cannot link a SAML provider to another SAML provider.

Are there any tips or workarounds that would enable us to make this work? Ideally, if they are signing in through Azure AD or through our In-house IdP, its the same username and should be mapped to the same person within LFDS, regardless of which Identity Provider authenticated the user.

Another fun feature request for SCIM 2.0 would be to enable "role-based" license assignments. Right now, there's only 1 option of assigning 1 type of license per provider. Allowing the SAML provider of assigning that license based on roles within the organization would allow much more flexibility.

0 0

Answer

SELECTED ANSWER
replied on December 6, 2023

Patrick, upon further reviewing our SCIM documentation, I believe you may simply be able to configure Azure AD (Entra ID) as a SCIM 2.0 provider for the LFDS SAML users linked to your in-house IdP. With this setup, you would not configure AAD/Entra ID as a separate IdP within LFDS.

See: Configuring SCIM in Azure Active Directory

10. In the Mappings section, review user and group attributes that are synchronized from Azure Active Directory to Laserfiche Directory Server. The attributes selected as Matching properties are used to match the users and groups for update operations. Laserfiche Directory Server Update 3 currently only supports userName as a matching property.

If LFDS is performing SCIM matching on userName, and that property is identical/sync'd between your two IdPs, that configuration might work out.

Worth testing, and if you do, please report back with the results.

1 0

Replies

replied on December 1, 2023

Hi Patrick,

First, an important note. In my response below, I discuss specific aspects of the Laserfiche Directory Server (LFDS) database. This is for illustrative purposes to aid in understanding the underlying data structures and relationships between users and identity providers in LFDS. Directly modifying Laserfiche application databases is not supported except for specific operations detailed in official product documentation or when so instructed by Laserfiche Support.

A "SAML" type user in LFDS is associated 1:1 with a specific SAML identity provider. This is represented in the LFDS database dbo.directory_objects (users) table's "provider_id" column, which maps to the dbo.identity_providers table's "id" column (type 1 = AD, type 5 = SAML).

The Linked Provider feature enables 1:1 or Many:1 mappings of SAML IdPs to an AD or LDAP IdP. As you noted, you cannot link one SAML IdP to another. 

There's also a dbo.saml_lf_sid_mappings table with "saml_sid" and "lf_sid" columns, where "lf_sid" corresponds with the user "sid" in the dbo.directory_objects table. I have no idea what this table is used for or where the "saml_sid" values come from. There may be other tables and values involved I'm not aware of.

Though you can't take the Linked Provider approach, there may be a way to "migrate" existing SAML user associations from one SAML IdP to another via a set of database queries. You could reach out to Laserfiche Support through your Solution Provider and politely inquire if it would be possible to get any assistance with this. They can engage the LFDS Dev team about if the operation is possible, and if so, how to do it safely.

This would be outside the formal scope of Laserfiche support, so if they're able to assist it would be on a voluntary, best-effort basis. The LFDS Dev team is also extremely busy at the moment, so I wouldn't expect a request to get looked at before the end of the year.

With respect to:

Another fun feature request for SCIM 2.0 would be to enable "role-based" license assignments. Right now, there's only 1 option of assigning 1 type of license per provider. Allowing the SAML provider of assigning that license based on roles within the organization would allow much more flexibility.

I do believe group/role-based licenses assignments for SCIM are (somewhere) on the roadmap.

Cheers,
Sam

0 0
View 7 previous replies
replied on December 4, 2023

I wouldn't want to migrate users though between SAML providers, I would want both SAML providers to co-exist side-by-side with a similar username attribute. The same way it is now with an AD provider.

0 0
replied on December 4, 2023

Ah, unfortunately not possible then due to the 1:1 relationship between user trustees and Linked Providers only supporting SAML->AD/LDAP mapping. 

Was the idea to have all user authentication to go through your in-house IdP and only connect Azure AD (Entra ID) for SCIM functionality?

0 0
replied on December 4, 2023

That was my exact thought process yes, to authenticate into in-house IdP, but import users through Azure AD who has the SCIM support. The users co-exist in both IdPs with mostly the same attributes and a common username.

0 0
replied on December 5, 2023

Got it. I don't suppose SCIM support is on the roadmap for the in-house IdP?

0 0
replied on December 5, 2023

No, not at the moment. That need is being satisfied with Azure so it's lower priority.

1 0
SELECTED ANSWER
replied on December 6, 2023

Patrick, upon further reviewing our SCIM documentation, I believe you may simply be able to configure Azure AD (Entra ID) as a SCIM 2.0 provider for the LFDS SAML users linked to your in-house IdP. With this setup, you would not configure AAD/Entra ID as a separate IdP within LFDS.

See: Configuring SCIM in Azure Active Directory

10. In the Mappings section, review user and group attributes that are synchronized from Azure Active Directory to Laserfiche Directory Server. The attributes selected as Matching properties are used to match the users and groups for update operations. Laserfiche Directory Server Update 3 currently only supports userName as a matching property.

If LFDS is performing SCIM matching on userName, and that property is identical/sync'd between your two IdPs, that configuration might work out.

Worth testing, and if you do, please report back with the results.

1 0
replied on December 6, 2023

Ok so this is a bit more technical, but we have our LFDS servers in a network load balanced environment. How to I configure SCIM on the Laserfiche side so that the bearer token is the same on both servers in the NLB farm?

1 0
replied on December 7, 2023

Thank you @████████ for that solution, it works perfectly! I created the enterprise app with SCIM 2.0  in Azure with the proper configurations from our Laserfiche environment.

I activated the SCIM functionality in LFDS for our in-house IdP, created the proper mapping within Azure for the required fields and now everything is going synching across, and each user is linked to our in-house IdP SAML provider within LFDS.

Does the LF side of things support the synching of the groups as well using SCIM? I couldn't find documentation on that functionality.

For the NLB question, for those wondering, I was able to find where the file was located, and copied it over from the 1st server I configured to the other servers in the NLB farm.

C:\ProgramData\Laserfiche\LFDS\Scim2ServiceConfig.jsonc

1 0
replied on December 7, 2023 Show version history

Excellent, I'm happy to hear that worked out!

Re: sync'ing groups, the documentation suggests it's supported in some form:

11. Under Settings, select Sync only assigned users and groups to only sync users and groups assigned in the Users and groups tab.

12. Set the Provisioning Status option to On.

13. Select the Users and groups tab and assign the users or groups to synchronize with Directory Server. By default, the synchronization process runs every 40 minutes.

Unless you're asking about synchronizing the groups themselves rather than "users in groups"? I vaguely recall there being a difference in SCIM but am fuzzy on the details.

0 0
replied on December 7, 2023

I'm asking about the groups yes, in the logs on Azure it gets a HTTP 404 error for the SCIM endpoint of LDFS-SCIM/Groups, so I assume it's not supported at the moment.

0 0
replied on December 5, 2023

Out of curiosity, why do you have 2 idPs?

0 0
replied on December 5, 2023

Azure/Entra doesn't support every authentication protocol out there, we have multiple partners that only support OAuth 1.0, CAS 2, etc... We had a need to develop our in-house IdP prior to the early stages of when Azure kicked off their ability for SSO.

The other is costs relative to licensing in Azure/Entra. As a higher educational institution, we don't create O365 accounts until you confirm you will attend our institution (ex. paid for tuition fees, etc...), therefore applicants don't reside in Azure until they become students, but these applicants will reside in our in-house IdP instead.

So in order to use LF Forms, we use our in-house IdP because it contains the accounts of every entity within our institution. We have the self-registration all setup, but what happens is that when we run a LF Forms workflow and the user doesn't exist in Forms, it causes us headaches because then we have to go manually create him or ask him to login to Forms in order to create his account in LF. That's where the SCIM would come in and automatically create student accounts from Azure and into LF, but map them to our in-house IdP based on the username fed from Azure.

2 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...