Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
png
saml1.png 177.8 kB 1 29-Dec-2020 05:25 Ben Spink
png
saml2.png 211.5 kB 1 29-Dec-2020 05:25 Ben Spink

This page (revision-27) was last changed on 29-Mar-2024 20:42 by Ada Csaba

This page was created on 29-Dec-2020 05:25 by Ben Spink

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Difference between version and

At line 1 changed one line
!!The SAMLSSO plugin requires an enterprise license.\\
!!Enterprise Licenses Only\\
At line 3 changed one line
This plugin is for advanced users in an organization using SAML.
!__Prerequisits:__ on the Preferences panel [Misc page|Misc] need to set the __Remember invalid usernames__ parameter value to __0__ and clear the __HTTP Redirect Base__ field value. This is a __must__ with any plugin integration scenario.
\\
\\
SAMLSSO Plugin\\
\\
This plugin is for advanced users in an organization using SAML. While this config is generic (from [Okta]) in its description to all SAML providers, see the Microsoft ADFS config example for specifics on ADFS. *[SAMLSSO_ADFS]* Another example is *[SAMLSSO_AZURE]* config example.\\
''Okta calls their generic config 'SAML Service Provider'.''\\
!For a generic config, you can get these items from the 'config.xml' (Keycloak for example):\\
{{{
CrushFTP:Redirect URL = HTTP-POST URL
CrushFTP:SAML Provider URL = EntityID
CrushFTP:SAML Issuer = ClientID (or ApplicationID)
CrushFTP:Signing certificate = X.509 Certificate
}}}
\\
For configuring through a DMZ, this requires Crush 8.3.0_8+ and for both the DMZ instance and internal instance to have identical configurations. If you are using the groups attribute in SAML to specify group memberships, add them into the LDAP roles area using the same group name SAML returns. Set the cache timeout to be "-1" and it will skip connecting to the LDAP configured server info. (Which is what you want if using SAML groups.) If you don't have LDAP and don't have groups being passed through, you can add the special group name "-ALL_ROLES-" and it will allow all logins from SAML.\\
\\
This plugin can be linked together with the WebApplication plugin for a scenario where your LDAP does not apply to your SAML logins. *[SAMLSSO_WebApplication]*\\
!!1)\\
The top half controls the connection parameters to the SAML provider server.\\
We provide an example screenshot for an OKTA account. Both HTTP POST and redirect modes are supported.\\
[attachments|saml1.png]\\
\\
!!2)\\
The lower half controls what to do with the resulting user that is validated once they are redirected back to your CrushFTP server. This mainly contains configuration items related to LDAP. An LDAP server is required for looking of role associations for the user that SAML validated.\\
[attachments|saml2.png]\\
\\
!!3)\\
The final item is using a Url like this to make CrushFTP redirect a user to the SAML provider.\\
{{{
http://domain.com/?u=SSO_SAML&p=redirect
}}}
This could be placed on your login page, or even use javascript to auto redirect the user to that URL.\\
\\
Be certain the Preferences, Misc tab has the remember invalid usernames configured to 0 seconds or your SAML login will get rejected since CrushFTP caches the username as being invalid and doesn't even ask the plugin.\\
\\
Also be sure prefs.XML has "http_redirect_base" set to a blank value, or your actual URL, or else the redirection will be blocked.\\
\\
\\
----
''__PLEASE NOTE!!!__\\
\\
Java 16 and above require a JVM flag to allow XML signing. So if you utilize XML signing of your AuthN request and you are using newer Java versions (you should be regardless), then add this JVM flag to allow signing to operate:\\
{{{
--add-opens=java.xml.crypto/org.jcp.xml.dsig.internal.dom=ALL-UNNAMED
}}}
For Java 17....edit the security file here: CrushFTP10\Java\conf\security\ directory, remove the lines
{{{
disallowAlg http://www.w3.org/2000/09/xmldsig#sha1,
disallowAlg http://www.w3.org/2000/09/xmldsig#rsa-sha1,
}}}
''
__These flags are not needed to be set no more, if CrushFTP is running under Java 21+.__
Version Date Modified Size Author Changes ... Change note
27 29-Mar-2024 20:42 3.574 kB Ada Csaba to previous
26 28-Feb-2024 16:26 3.484 kB Ada Csaba to previous | to last
25 28-Feb-2024 16:24 3.475 kB Ada Csaba to previous | to last
24 25-Aug-2023 23:49 3.231 kB Ben Spink to previous | to last
23 25-May-2022 07:12 3.005 kB krivacsz to previous | to last
22 25-May-2022 07:12 3.035 kB krivacsz to previous | to last
21 25-May-2022 07:11 3.004 kB krivacsz to previous | to last
« This page (revision-27) was last changed on 29-Mar-2024 20:42 by Ada Csaba
G’day (anonymous guest)
CrushFTP10 | What's New

Referenced by
LeftMenu

JSPWiki