Connecting ezeep to your Directory Service via SAML...describes the steps required to connect an...
Transcript of Connecting ezeep to your Directory Service via SAML...describes the steps required to connect an...
![Page 1: Connecting ezeep to your Directory Service via SAML...describes the steps required to connect an ezeep account to a directory service like ADFS, Azure Active Directory, Pint Identiy,](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fec25d2367fce68fd011a25/html5/thumbnails/1.jpg)
1
www.ezeep.com +1-720-253-1400 [email protected]
ContentsIntroduction ....................................................................................................................................................................................................2
Requirements .................................................................................................................................................................................................2
Setup Steps ...................................................................................................................................................................................................3
1.GetTokenSigningCertificate .....................................................................................................................................................3
2.CreateaSingleSignOnSettingssetinyourezeepPortal .......................................................................................................5
3. Enter SAML Settings ...................................................................................................................................................................6
4.CreateRelyingPartyTrust ..........................................................................................................................................................8
5.ConfigureClaimRules ............................................................................................................................................................. 10
5.1TransformanincomingClaim(EmailtoNameID) ........................................................................................ 12
5.2SendLDAPAttributesasClaim(Importantforgroupassignment) ............................................................ 14
6.SetupgroupsintheezeepPortal ........................................................................................................................................... 16
UserSign-On ................................................................................................................................................................................................ 17
Connecting ezeep to your Directory Service via SAML
![Page 2: Connecting ezeep to your Directory Service via SAML...describes the steps required to connect an ezeep account to a directory service like ADFS, Azure Active Directory, Pint Identiy,](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fec25d2367fce68fd011a25/html5/thumbnails/2.jpg)
2
www.ezeep.com +1-720-253-1400 [email protected]
IntroductionSAMListodaysstandardwhenitcomestoconnectingtheusermanagementofacloudservicewithadirectoryservice.ThismanualdescribesthestepsrequiredtoconnectanezeepaccounttoadirectoryservicelikeADFS,AzureActiveDirectory,PintIdentiy,miniOr-angeandothers.Whiletheconfigurationvariesbetweenthem,thefundamentalstepstoconnectarethesame.TheexamplesusedherearebasedonActiveDirectoryFederationServices.
Requirements•ezeepadministratoraccount•administratoraccountforyourdirectoryservice
![Page 3: Connecting ezeep to your Directory Service via SAML...describes the steps required to connect an ezeep account to a directory service like ADFS, Azure Active Directory, Pint Identiy,](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fec25d2367fce68fd011a25/html5/thumbnails/3.jpg)
3
www.ezeep.com +1-720-253-1400 [email protected]
Setup Steps 1. Get Token Signing CertificateFirst,weneedtogetthetoken-signingcertificatefromyourADFSserver.Wewillneedthistovalidatethattheincomingsecurityto-kenswereindeedcreatedbyyourADFSserverandnotmodifiedintransit.Microsoftstatesthatthepublic/privatekeypairingisthemostimportantvalidationmechanism.
Togetyourtoken-signingcertificate,goto
• ADFSManagementonyourADFSserver•UnderADFS/Service/CertificatesdoubleclickthevalueunderToken-signing•Underthetab“Details”choseCopytoFile...andexportthecertificateasBase-64encodedX.509(CER)• Storethefilesecurely,youwillneedtouploadittoourAdminportalinthenextstep
![Page 5: Connecting ezeep to your Directory Service via SAML...describes the steps required to connect an ezeep account to a directory service like ADFS, Azure Active Directory, Pint Identiy,](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fec25d2367fce68fd011a25/html5/thumbnails/5.jpg)
5
www.ezeep.com +1-720-253-1400 [email protected]
2. Create a Single Sign On Settings set in your ezeep Portal•Logintoyourezeepaccountasadministrator• Clickonyouraccount(youremailaddress/displaynameinourmenuontheleft)•UnderSingleSignOnyouwillfindthesettingsthatyouhavesetup(thereshouldbenoneyet)•Clickon“AddSSO”andchoseSAML2.0• A new popup will open with SAML settings
![Page 6: Connecting ezeep to your Directory Service via SAML...describes the steps required to connect an ezeep account to a directory service like ADFS, Azure Active Directory, Pint Identiy,](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fec25d2367fce68fd011a25/html5/thumbnails/6.jpg)
6
www.ezeep.com +1-720-253-1400 [email protected]
3. Enter SAML SettingsOurSAMLsettingsincludeallbasicsettingsthatyouneedtosetupforSAMLtoworkproperly.Enteryourspecificinformationandremembertosavethesettings.
Thistablecontainsthedetailsaboutthespecificsettings:
Setting Name Description Example
Name(RENAMEME)ThisisthenamethatwewillstoretheSAMLsetforyoutofind.Foryouraccountthisnameneedstobeunique.
"ThinPrintCloudSAMLSettings"
OrganizationIdentifier
ThisisyourOrganizationIDwhichisuniqueacrossourwholesolution.EachSAMLsettingneedsoneOrganizationID. WhenyourusersenterthisOrganizationIDat: https://accounts.ezeep.com/auth/signin/saml/ theywillbefollowingtheSAMLrulesetthatyousethereandforwardedtotheaccordingIdentityProvi-der Login URL.
ThinPrintCloud
EntityID TheentityIDofyourIdentityProvider. „http://adfsdc.cortsol.net/adfs/ services/trust“
IdentityProviderLoginURL
ThisistheloginURLofyouridentityproviderwhichinthiscaseisyourADFS.WhenusersenteryourOrganizationIDabovetheywillberedirectedtothisURL.
"https://adfsdc.cortsol.net/adfs/ls"
LoginBindingtype
Pickabindingtypeforyourloginrequests.ThissettingstateshowSAMLrequestandresponsemessagesaremapped.WerecommendtochoosetheHTTPredirectmethod.
•HTTPPost•HTTPredirect
Post„urn:cortsol:names:tc:SAML:2.0:bin-dings:HTTP-POST“
Redirect„urn:cortsol:names:tc:SAML:2.0:bin-dings:HTTP-Redirect“
IdentityProviderLogoutURLThisistheURLthatweredirecttheusertowhentheuseractivelywantstologoutofasessioninourportal.
"https://adfsdc.cortsol.net/adfs/ls/?wa=wsignout1.0"
LogoutBindingtype
Pickabindingtypeforyourlogoutrequests.ThissettingstateshowSAMLrequestandresponsemessagesaremapped.WerecommendtochoosetheHTTPredirectmethod.
•HTTPPost•HTTPredirect
Post„urn:cortsol:names:tc:SAML:2.0:bin-dings:HTTP-POST“
Redirect„urn:cortsol:names:tc:SAML:2.0:bin-dings:HTTP-Redirect“
IdentityProviderCertificate(Base64encoded)
Thisisthetoken-signingcertificatethatweexportedtofileinthefirststep„Get Token-Signing Certifica-te“.Youcanuploadithereforustostoresecurely.
„-----BEGINCERTIFICATE-----a++++R0XNd+bDaBH2Jqpdln0+//asdsa-dadasd=-----ENDCERTIFICATE-----“
![Page 8: Connecting ezeep to your Directory Service via SAML...describes the steps required to connect an ezeep account to a directory service like ADFS, Azure Active Directory, Pint Identiy,](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fec25d2367fce68fd011a25/html5/thumbnails/8.jpg)
8
www.ezeep.com +1-720-253-1400 [email protected]
4. Create Relying Party TrustTosetupezeepasanapplicationthatcanbetrustedbyyourADFS,youneedtocreateaRelyingPartyTrustonyourADFS.WehaveapreconfiguredxmlfileforyouthatcontainsallnecessaryinformationtoautomaticallyconfigureyourADFS.YoucanfinditaftersavingyourfirstSAMLSettingsontheSingleSignOnSettingsscreen.YoucaneithersavethelinktotheXMLsettings(wewillneeditontheADFSserverlater)orstorethewholefileincasethatyourADFSdoesnothaveaninternetconnection.
OntheADFSserver•OpenyourADFSManagementandgotoTrustRelationships/RelyingPartyTrusts•AddRelyingPartyTrust•IntheWizard,youcanimportdatabyenteringthelinkthatyousavedfromourportalorpointtothelocalxmlfilethatyoutransferredtotheserver
•YoucancheckthesettingsbycontinuingtheWizard
![Page 10: Connecting ezeep to your Directory Service via SAML...describes the steps required to connect an ezeep account to a directory service like ADFS, Azure Active Directory, Pint Identiy,](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fec25d2367fce68fd011a25/html5/thumbnails/10.jpg)
10
www.ezeep.com +1-720-253-1400 [email protected]
5. Configure Claim RulesWhenauserknocksonourportallogindoorwithaSAMLtoken,weconsiderthetokenandevaluatecertainattributesfromitandusethemaccordingly.Theseattributesneedtoidentifytheuserandtheezeepgroupstheusershouldbeamemberof.Thiswaywecandirectlymakeprintersaccessibletousersbasedonthegroupsandpoliciesthatexistinyourezeepportal.
ClaimRulesareusedtospecifytheseattributesintheSAMLtokens.ClaimRulesmapanattributefromyourActiveDirectoryuserobjecttoakeytheezeepserviceunderstands.Forinstance,youcanchoosewhichattributeyouwanttousetomapyouruserstoezeepgroupssoezeepcanperformtheassignmentautomaticallywhentheuserlogsin.
Ezeepislookingforthefollowingattributes:
Name Outgoing Claim Type Required Description Example
NameID NameID Yes
Needstobeine-mailformat.
WeusetheNameIDto identifyauser.
groupshttp://schemas.microsoft.com/ws/ 2008/06/identity/claims/groups
Requiredforusersto print
The strings in groups will bematchedwiththenamestringsofgroupsthattheadmincreatedinourportal
cortsol.net\DomainUsers
Firstname first_name No,optionalWedisplaythefirstnamesinyourusersviewforyoutosearchforandfilterusers.
John
Lastname last_name No,optionalWedisplaythelastnamesinyourusersviewforyoutosearchforandfilterusers.
McClane
![Page 11: Connecting ezeep to your Directory Service via SAML...describes the steps required to connect an ezeep account to a directory service like ADFS, Azure Active Directory, Pint Identiy,](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fec25d2367fce68fd011a25/html5/thumbnails/11.jpg)
11
www.ezeep.com +1-720-253-1400 [email protected]
AttheendoftheRelyingPartyTrustWizardyoucandirectlyopentheEditClaimRulesdialog.Youwillneedittoconfigureyourusersettingsjustthewayyouwantthem.YoucanalsoopenthedialogwitharightclickonthenewlycreatedRelyingPartyTrustforezeepandclickonEditClaims:
![Page 12: Connecting ezeep to your Directory Service via SAML...describes the steps required to connect an ezeep account to a directory service like ADFS, Azure Active Directory, Pint Identiy,](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fec25d2367fce68fd011a25/html5/thumbnails/12.jpg)
12
www.ezeep.com +1-720-253-1400 [email protected]
5.1 Transform an incoming Claim (Email to NameID)
Thefirstrulesetalwaysmustbetheidentifieraswerequirethisattributetoidentifyauser.Werequiretohaveemailaddressesastheidentifierthatmustbeset.ForthisyoucanusetheClaimruletemplate“TransformanIncomingClaim”
InthetemplatesettheIncomingClaimastheE-MailAddressandtheoutgoingclaimtypeasNameIDwithE-Mailastheformat.Thiswilltakethee-mailaddressattributefromyouruserandmapittoNameIDsothatweknowthatthisistheattributewherewefindtheusersE-Mailaddress:
![Page 14: Connecting ezeep to your Directory Service via SAML...describes the steps required to connect an ezeep account to a directory service like ADFS, Azure Active Directory, Pint Identiy,](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fec25d2367fce68fd011a25/html5/thumbnails/14.jpg)
14
www.ezeep.com +1-720-253-1400 [email protected]
5.2 Send LDAP Attributes as Claim (Important for group assignment)
AsanextstepaddanotherClaimruleandchosethe“SendLDAPAttributesasClaims”template:
ThisopensatablewhereyoucanpickyourintendedADattributeontheleftandspecifytheoutgoingclaimontheright.
Yourusersalwaysprintpergrouprulesetsthatyoucansetinourezeepportal.Forustoassignthemtothecorrectgroups,youneedtochoosetheLDAPattributethatyouusefororganizingyourgroupsinyourADandmapthemtotheoutgoingclaimhttp://schemas.microsoft.com/ws/2008/06/identity/claims/groups:
![Page 16: Connecting ezeep to your Directory Service via SAML...describes the steps required to connect an ezeep account to a directory service like ADFS, Azure Active Directory, Pint Identiy,](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fec25d2367fce68fd011a25/html5/thumbnails/16.jpg)
16
www.ezeep.com +1-720-253-1400 [email protected]
6. Set up groups in the ezeep PortalIntheezeepportaltheusersareorganizedingroups.Groupshavepoliciesappliedtothem.Policiesdefineaccesstoprintersandprinterfeatures.Forthegroupsandpolicysystemtoworkproperly,theLDAPgroupattributehastocontaingroupinformationintheexactsameformat,theclaimrulesconfiguredinthepreviousstepcommunicates.
Hereareafewexamples:
AD Attribute Name ExampleToken-Groups-QualifiedbyDomainName •cortsol\DomainUsersToken-GroupsasSIDs •S-1-5-21-1206454754-1378802883-1802596162-513Token-Groups-QualifiedbyLongDomainName •cortsol.net\DomainUsersToken-Groups-UnqualifiedNames •DomainUsers
Is-Member-Of-DL •CN=Guests,CN=Builtin,DC=cortsol,DC=net•CN=Users,CN=Builtin,DC=cortsol,DC=net
ItisessentialthatyoucreatetheGroupsintheezeepportalwiththeexactsamestringasitisgoingoutfromyourAD.OurworkflowistoconsidertheSAMLtoken,checktheattribute“groups”andtrytoassigntheuserstotheezeepgroupswiththeexactlysamematchingstringsasnames.Therecanbemultiplegroupsintheattribute,wewilltrytomatchthemallwiththeezeepgroups.Ifwedonotfindthisgroupsetupbyyouinourportal,wewilljustignoreit.
ThischeckisperformedeverytimeauserlogsinwithaSAMLtoken.WemakesurethatwecleantheformergroupsassignedtoauserbeforeassigningthegroupsthatwefindinthenewSAMLtokensothatchangestogroupsareappliedeverytimeauserlogsinwithanewtoken.Thismakessurethatoldgroups,thattheuserwereassignedto,getunassignedwhenwedon’tfindthemintheSAMLtokenanymore.
![Page 17: Connecting ezeep to your Directory Service via SAML...describes the steps required to connect an ezeep account to a directory service like ADFS, Azure Active Directory, Pint Identiy,](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fec25d2367fce68fd011a25/html5/thumbnails/17.jpg)
17
www.ezeep.com +1-720-253-1400 [email protected]
User Sign-OnAfterezeepandthedirectoryservicearelinkedviaSAML,userscansimplygotoportal.ezeep.comandclickon“SigninwithOrgani-zationID”orgodirectlytohttps://accounts.ezeep.com/auth/signin/saml/
TheyneedtoentertheOrganizationIDthatyousetasOrganizationIdentifierintheezeepportal.
![Page 18: Connecting ezeep to your Directory Service via SAML...describes the steps required to connect an ezeep account to a directory service like ADFS, Azure Active Directory, Pint Identiy,](https://reader033.fdocuments.in/reader033/viewer/2022051804/5fec25d2367fce68fd011a25/html5/thumbnails/18.jpg)
18
www.ezeep.com +1-720-253-1400 [email protected]
OncetheyentertheID,theywillberedirectedtothelinkyouprovidedasIdentityProviderLoginURL.
AftersuccessfulauthenticationonyourIdentityProvider,theywillberedirectedtotheportalandcanprintperthegroupsthatyouset up.