You are viewing limited content. For full access, please sign in.

Question

Question

Can Laserfiche on premise be set up with OneLogin

asked on April 10, 2024

Our organization was looking into having OneLogin as our management for using single sign on with Laserfiche on-premise. I was able to see that there was information that was provided OneLogin to configure SSO on Laserfiche Cloud but not for the on-premise environment. We seem to be close to having it completely configured however we're running into a snag where we are missing information. OneLogin is currently asking for the following information:

ACS (Consumer) URL Validator

ACS (Consumer) URL

Could someone point me in the direction or clarify what those two URLs are or where they can be found?

0 0

Answer

SELECTED ANSWER
replied on April 11, 2024 Show version history

Hi Cristobal,

I believe this is the relevant OneLogin documentation page:

Use the OneLogin SAML Test Connector

You should use this connector option by default, as Laserfiche requires an Service Provider (SP) initiated SAML flow. IDP initiated SAML auth is still supported if you set a Landing Page in LFDS, but SP initiated is required.

SAML Test Connector (SP): This is the basic SP Initiated connector that contains the general URL fields that will be used to pass the connector information between OneLogin and the application in question.

Unless you want OneLogin to encrypt the assertion in the SAML Response in addition to cryptographically signing it (usually overkill as the response is already going over encrypted HTTPS), in which case you should start with this option:

SAML Test Connector (SP) w/Public Cert: Along with all the functionality of the basic SP connector, this version includes an encrypted assertion.

On the Laserfiche Directory Server (LFDS) side, first ensure you have your STS site(s) registered correctly under Settings > STS Sites.

The OneLogin ACS (Consumer) URL field is simply the "SAML endpoint" value from the STS Site configuration in Directory Server. Their description is "This field will contain the address where the SAML response is posted to.", which for Laserfiche is the STS Site SAML endpoint. The ACS URL is a universal field for all SAML configurations because the IDP always needs to know where to send the SAML Response.

The OneLogin ACS (Consumer) URL Validator field says:

This field is used by OneLogin to ensure that we POST the response to the right place. If the response is Service Provider (SP) initiated, they will provide the URL to POST the SAML response to.

Basically, the ACS (Consumer) URL Validator will take the form of the ACS (Consumer) URL, however it will be "escaped out," meaning that all periods and backslashes will have forward slashes immediately preceding them.

Creating a secure ACS (Consumer) URL Validator value is key to the security of the connector. If setup is misconfigured, an attacker could forge Authentication Requests to serviceprovider.com (SP).

For example, consider this ACS (Consumer) URL:

https://serviceprovider.com/saml/consume/

A secure ACS (Consumer) URL Validator regular expression would be:

^https:\/\/serviceprovider\.com\/saml\/consume\/$

Note the essential anchors: ^ and $.

Here is an example of an insecure ACS (Consumer) URL Validator regular expression:

https:\/\/serviceprovider\.com\/saml\/consume\/

This insecure ACS (Consumer) URL Validator could be bypassed with an ACS (Consumer) URL of:

http://www.evil.com/saml/consumer?getparam=https://serviceprovider.com/saml/consume/

So following their example, this ACS URL would have the following OneLogin secure ACS URL Validator (backslashes and periods escaped and with start and end anchors; this is regex) and SLO URL:

For their optional Single Logout (SLO) URL field, you would enter the LFDS STS Site "SAML provider logout endpoint" value, which ends with "/SLO".

Hope that helps!
-Sam

2 0
replied on April 16, 2024

Hi Sam,

Thanks for all the information. It's helped us push forward with the implementation of SSO. We are running into an issue now. There is an error message that pops up on the OneLogin page when clicking the icon for Laserfiche. if this is a OneLogin side issue we can contact their support. 

{"ErrorCode":null,"ShowReturnLink":true,"Error":true,"Message":"The identity provider may not be configured correctly.  Contact your administrator: ID3061: The given element (\u0027Audience\u0027,\u0027urn:oasis:names:tc:SAML:2.0:assertion\u0027) is empty."}

0 0
replied on April 16, 2024 Show version history

Ah. So two things here.

First, the current issue: 

The given element ...Audience... is empty."}

For some reason OneLogin has the "Audience" field optional. I've always seen that be required. "Audience" in this context means the SP Entity ID. See discussion here and here:

Audience is associated with the Condition element of SAML Assertion and that tells under which security conditions or context, the assertion is valid and provide some terms and conditions relating to such validity (like time validity of assertion, who can consume the assertion, etc). Typically, Audience will the EntityID of SP.

...

The Audience URI, or Audience Restriction, determines the intended recipient or audience for the SAML Assertion. Depending on the vendor, this field might also be referred to as the "Entity ID"

Per the LFDS Landing Pages and Custom Entity IDs documentation:

By default, Directory Server's entity ID is in the format https://DirectoryServerHostName/lfds.

That's the actual fully-qualified domain name (FQDN) of the server, like https://lfprodweb1.ad.example.com/lfds.

However, I'd recommend you set a Custom Entity ID that matches the FQDN of the primary LFDSSTS ACS URL / SAML Endpoint. In our example here, that's "lf.example.com", so we would set the "SAML Entity ID" in LFDS to:

  1. https://lf.example.com/lfds 

Then enter that same value in the "Audience" field of the OneLogin SAML Connector config.

Second, the issue you'd run into right after fixing the missing Audience one:

... on the OneLogin page when clicking the icon for Laserfiche

Starting from OneLogin (the IDP) rather than Laserfiche (the SP) means you're attempting an "IDP-initiated" SAML flow. 

That error message comes from Laserfiche, not OneLogin. If you look at the URL, you'll see https://lf.example.com/lfdssts/*.

As I noted here:

IDP initiated SAML auth is still supported if you set a Landing Page in LFDS

The Landing Page value would typically be either a Forms or Web Client base URL, so:

  1. https://lf.example.com/Forms/
  2. https://lf.example.com/Laserfiche/ 
  3. Etc.

The "Default Landing Page" value tells Laserfiche where to send the user after authentication. You have to set this because LFDSSTS itself has no knowledge of what other Laserfiche web applications you have or what URLs they're located at. Without it, you'd authenticate to LFDS, get an LFDSSTS auth token, and then... nothing. You'd run into this next.

1 0
replied on April 24, 2024

Thanks for all the help with this. We were able to get things working. I do have another question. Will all the accounts that are windows accounts need to be converted to SAML accounts? Is there any conversion utility or synchronization so we don't have to recreate all our users?

0 0
replied on May 1, 2024

Assuming all the AD accounts in question are sync'd to OneLogin in some way, you'd configure Linked Identity Provider in Laserfiche Directory Server. This allows you to associate SAML logins from OneLogin with Windows Accounts in LFDS.

Read that documentation page carefully, especially the parts about SAML group claims. You need to ensure that OneLogin has all the required attributes available to send in the required formats.

Definitely do not attempt to convert AD/Windows Accounts to SAML Accounts or otherwise recreate the AD users as SAML one if you can set up the Linked Provider.

I just wrote a guide for doing SAML SSO and Linked Identity Provider configuration with Microsoft Entra you might find useful here:

Configuring SAML Authentication with Microsoft Entra ID and LFDS 11 Update 5+

1 0

Replies

You are not allowed to reply in this post.
You are not allowed to follow up in this post.

Sign in to reply to this post.