Configure Microsoft AD FS for SSO in your Code42 cloud environment
Who is this article for?
Instructor, no.
Incydr Professional, Enterprise, Horizon, and Gov F2, yes.
Incydr Basic, Advanced, and Gov F1, yes.
Overview
This tutorial explains how to configure your Code42 cloud environment to use single sign-on (SSO) with Microsoft Active Directory Federation Services (AD FS) 3.0.
This article assumes you are already familiar with SSO and the SAML standard. For more information about how the Code42 platform implements SSO, see Introduction to single sign-on.
Compatible Code42 platform components
Considerations
Before you begin
Determine whether you need to configure multiple Code42 tenants
Step 1: Add AD FS as an authentication provider
To complete this step, you must first verify that AD FS is deployed according to Microsoft's instructions.
- Sign in to the Code42 console.
- Navigate to Administration > Integrations > Identity Management.
- Click Add Authentication Provider.
- In Display name, enter an identity provider name to display to users that sign in with SSO.
If your Code42 environment provides more than one SSO identity provider, users see a list of providers to choose from. They must select the provider configured for their Code42 organization. - In Provider's Metadata, choose one of the following options:
- Enter URL: Paste the URL for the AD FS metadata XML file, for example:
https://<adfs-server>/federationmetadata/2007-06/federationmetadata.xml
- Upload XML File: Upload the AD FS metadata XML file to your instance of the Code42 console.
- Enter URL: Paste the URL for the AD FS metadata XML file, for example:
- Click Create Provider.
Authentication provider settings appear. - Copy the Code42 Service Provider Metadata URL. You will use this in the Step 2 to create a relying party trust between AD FS and your Code42 console. Alternatively, you can right-click the URL and save the metadata as a .xml file to upload directly to AD FS.
Note the following message on the dialog:
This provider will not be applied to an organization until you update the organization security settings.
Do not apply this authentication provider to organizations yet. You will apply this provider to a test organization and to production organizations in later steps.
- If you choose not to use the default mapping, you can use Attribute Mapping to customize mappings between Code42 platform user attributes and authentication provider SSO assertion attributes.
- Click the Edit icon.
- Deselect Use default mapping.
- Configure mapping settings for each Code42 platform user attribute.
Each field supports up to 128 characters.- Username: Specify the SSO identifier or attribute that maps to the Code42 platform username.
- Select Use nameId to use the SSO name identifier.
- Select Use attribute tag to enter a custom SSO attribute.
- Email: Enter the SSO attribute that contains user email addresses.
- First Name: Enter the SSO attribute that contains user first names.
- Last Name: Enter the SSO attribute that contains user last names.
- Username: Specify the SSO identifier or attribute that maps to the Code42 platform username.
- Click Save.
- Click the Edit icon.
- Local Users displays the current user. If there are any other users you want to exempt from using this authentication provider to log in, enter them here.
Step 2: Add the Code42 service provider metadata URL to AD FS
- If there is a mix of Windows, Mac, and Linux computers in your Code42 environment, go to Edit Global Authentication Policy in AD FS, and enable both Windows authentication and Forms authentication. See Microsoft's instructions.
- Create a relying party trust between AD FS and your Code42 console.
- Follow the wizard steps to configure the relying party trust.
- When you are prompted for the relying party metadata, provide the URL you copied or upload the metadata .xml file you downloaded from the Code42 Service Provider Metadata URL in Step 1.
- Create a claim rule to send LDAP attributes as claims.
The claim rule maps Active Directory attributes to Code42 user attributes.- Map the LDAP e-mail addresses attribute to outgoing claim type uid. This maps directory email addresses to Code42 usernames.
In the Code42 cloud usernames must be email addresses. - Map other outgoing claim types such as givenName, sn, and mail.
- Map the LDAP e-mail addresses attribute to outgoing claim type uid. This maps directory email addresses to Code42 usernames.
- Ensure that Active Directory uses the SHA-256 hash algorithm:
- Right-click the relying party trust, then select Properties.
- Click Advanced.
- Verify that Secure hash algorithm is set to SHA-256.
Code42 uses SHA-256 for the hash algorithm by default. For information about changing the signature and digest algorithms, see Set SAML attributes for SSO.
Step 3: Test SSO authentication
This step requires you to create a test user in AD FS.
Step 4: Apply this provider to production organizations
Step 5: Add new users who sign in with SSO
- In AD FS, add new users for whom you want to enable login to Code42. See Microsoft's documentation for information about adding users.
- Ensure the same users are set up in Code42. You can add users manually with the Code42 console to an organization that uses SSO, enable SCIM provisioning, or deploy Code42 apps to users in an organization that uses SSO.
What to expect
Reduced authentication prompts
Lost access to an identity provider
Troubleshoot authentication errors
Follow this procedure if SSO authentication for Code42 apps works externally but not internally, or if you see the following error In the AD FS event viewer: MSIS7102: Requested Authentication Method is not supported on the STS
Diagnosing
Search the AD FS logs to verify the error:
- Navigate to your AD FS event viewer.
- Search for the following log:
MSIS7102: Requested Authentication Method is not supported on the STS
If you see the above error, continue to the solution described below to configure AD FS to use the proper authentication method with Code42.
Solution
Edit the Authentication Policies in AD FS:
- Navigate to Authentication Policies.
- Under Primary Authentication, click Edit next to Global Settings.
- Under Intranet, enable both Forms Authentication and Windows Authentication.
- Click Apply.