AuthAnvil – The #1 User Authentication Suite for IT Service Providers

Configuring LiquidFiles for AuthAnvil Single Sign On

Overview

This guide walks you through the process of implementing AuthAnvil Single Sign On for LiquidFiles, a virtual appliance that helps companies and organisations send & receive large files securely. Once you are finished, you will have a LiquidFiles icon in your Single Sign On portal to provide a simple and secure log in to LiquidFiles.

Requirements

  • AuthAnvil Two Factor Auth 4.6 or later with AuthAnvil SSO 3.5 or later installed.

This document assumes that the AuthAnvil SSO Server has already been configured as per the AuthAnvil SSO Installation Guide, and that a working LiquidFiles appliance is already in place.

Configuring the LiquidFiles Virtual Appliance in AuthAnvil Single Sign On

  1. Log in to your AuthAnvil Manager and navigate to the Applications section in Single Sign On.
  2. Click Add New Application to open a new configuration menu
  3. Set the Display Name to “LiquidFiles”. You are welcome to download this image to use for the application icon (Right-Click – Save As…):
     

  4. Under the Protocol Configuration tab specify the Reply to URL and the Audience URI. The Reply To URL is the SAML endpoint for LiquidFiles and the Audience URI is the SAML Consumer URL. Here are some example values:
    • Reply to URL: https://<yourdomain.com>/saml/init
    • Audience URI: https://<yourdomain.com>/saml/consume
  5. Specify the protocol as SP-Init Redirect
  6. Save the application to save the configuration and create the app
  7. Re-open the LiquidFiles application by clicking on it
  8. Create a new Attribute Map with the following name and value:
    • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    • Value: {Email}
  9. Expand the Extended Properties section and enable the advanced properties.
  10. NOTE: Be aware that there are occasions where the Attribute name will revert back to the default value when enabling advanced properties so keep an eye on that.
  11. After the advanced properties are enabled set the Format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  12. Save the changes
  13. To allow users to access the LiquidFiles Virtual Appliance you will need to add the application to a role in SSO. Navigate to the Roles section of the AuthAnvil Manager and select the role you would like to allow access. Drag the LiquidFiles application into the allowed applications group.

  14. Users in that role will now be able to view the LiquidFiles application in the portal.

Configure the LiquidFiles Virtual Appliance for Single Sign On

  1. Log into the LiquidFiles Virtual Appliance with an administrative account.
  2. Navigate to the Admin section and select Single Sign-On from the left menu.
  3. Specify the Protocol as SAML 2
  4. Set the IdP Login URL to the SP-Init endpoint in AuthAnvil Single Sign On. This URL is located at https://<yourdomain.com>/sso/federation/passive/Saml2SPInit where “yourdomain.com” points to your AuthAnvil server
  5. Set the Logout URL to the AuthAnvil Single Sign On Single Sign Out URL (bit of a tongue twister, eh?). This URL is located at https://<yourdomain.com>/sso/federation/passive/signout.
  6. NOTE: Setting the logout URL to the SSO Log Out URL will cause you to logout of AuthAnvil Single Sign On when you log out of LiquidFiles. If you don’t want that to happen you can specify the SSO Portal as the logout URL, e.g. https://<yourdomain.com>/sso
  7. Specify the thumbprint from the Signing Certificate in the application configuration in AuthAnvil Single Sign On. You can find this by navigating to the LiquidFiles application in AuthAnvil Manager and opening the Certificate Authority section. The thumbprint can be copied directly into the LiquidFiles configuration.
  8. Finally, modify the Authentication Context to urn:oasis:names:tc:SAML:2.0:ac:classes:Password . Otherwise, you will be prompted to elevate credentials within AuthAnvil Single Sign On.
  9. Why do we do this?
    By default AuthAnvil Single Sign on issues tokens specifying the user was authenticated with a password. This is for compatibility reasons as most federated applications expect it. If you left the value as is, AuthAnvil Single Sign On would issue a token specifying password, LiquidFiles would compare the value in the token and since it’s not what it’s expecting it requests AuthAnvil to reissue a new token. AuthAnvil Single Sign On currently allows authentication via the AuthAnvil Two Factor Auth system so in our case an elevation is simply a re-authentication of a user’s OTP.

    If you don’t want to modify the Authn Context in LiquidFiles and do not want to require elevation in AuthAnvil Single Sign On, contact support to reconfigure the authentication type for the LiquidFiles application in AuthAnvil Single Sign On.

  10. Save the changes and try logging into LiquidFiles from the AuthAnvil Single Sign On portal. You should see the application in the list.