You are viewing limited content. For full access, please sign in.

Discussion

Discussion

Does Laserfiche not support IdP-initiatated authentication for SSO? It is requiring a SSO Service URL

Laserfiche Cloud
Updated September 24, 2024
posted on September 20, 2024

While trying to setup SSO with LF Cloud and Google (which only supports IdP-initiatated authentication) there is a required field in the SSO config page for a SSO Service URL which is not something we can provide if using IdP-initiated authentication.

0 0
replied on September 23, 2024 Show version history

Laserfiche Cloud supports IDP-initiated SSO.

First, make sure you have it enabled on the Laserfiche Cloud side.
See: Configure Advanced SSO options in Laserfiche Cloud

  • Enable IDP-initiated login flow: Specify Yes for this feature to allow a user to sign in to Laserfiche from the identity provider's portal.

The "SSO Service URL" Google is asking for is the "Assertion Consumer Service URL" that Laserfiche Cloud gives you from Account Administration > Settings > Single Sign-On > Service Provider Information:

Laserfiche Cloud uses the same Assertion Consumer Service URL for both SP and IDP-initiated login flows: https://acs.laserfiche.com/acs/SAML2/SSO (or non-US regional equivalent).

We have IDP-initiated SSO configured for some of our internal Laserfiche Cloud accounts, and I verified that the IDP-initiated SAML Response is going to https://acs.laserfiche.com/acs/SAML2/SSO.

0 0
replied on September 23, 2024

Google isn't the one asking us for the SSO service URL, Laserfiche is the one asking for it; on the SSO config page. I checked under advanced and it says Enable IDP-initiated login flow = Yes but IdP-initiated Identity Providers do not provide this service URL.

Google expects that the IdP will handle initiating the authentication request (IdP-initiated flow), so Google doesn't need an SSO Service URL to handle login requests from its side.

Instead, Google focuses on the Assertion Consumer Service (ACS) URL, which is the endpoint where the IdP sends the SAML response after a user is authenticated.

 

0 0
replied on September 23, 2024

Where is that quoted section from? Please provide a link if it's a Google documentation resource.

Google's Set up your own custom SAML app Using SAML-based SSO says plainly that it provides an IDP SSO URL:

  1. (5.) On the Google Identity Provider details page, get the setup information needed by the service provider using one of these options:
    1. (a.) Download the IDP metadata.
    2. (b.) Copy the SSO URL and Entity ID and download the Certificate (or SHA-256 fingerprint, if needed).

 

And I assure you that Google does not only support IDP-initiated SAML SSO flows. They literally provide instructions on testing both IDP and SP-initiated flows on their SAML config page (see below), and I've worked with customers to set up Google SAML SSO with both SP and IDP-initiated flows enabled with Directory Server. It may be that your customer has somehow disabled SP-initiated SSO at an administrative level in Google Workspace, but it is certainly supported.

If you can't find the IDP SSO URL value in the Google UI, try downloading the IDP metadata and pasting its contents into the Laserfiche Cloud "Import Metadata" dialog, Import, and see if the value populates:

1 0
replied on September 24, 2024

Well they ended up switching to Entra ID because it clearly showed an SSO URL.

We were logged into the Google Control panel displaying all the metadata for the newly created Laserfiche connection and there was no SSO URL. It only provided an ACS URL.

The quote above was from ChatGPT when we asked if and SSO Service URL is the same as an ACS Service URL and it said no, then we asked why Google was not providing an SSO Service URL.

Interestingly enough if I ask ChatGPT if Google provides an IDP SSO URL it says yes and explains how. Was I using the wrong language? The required field we were looking for was called SSO Service URL.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...