Azure AD SSO


Files.com provides integration with Microsoft Azure Active Directory, enabling user authentication and user provisioning from your Azure Active Directory service.

Implementing Single Sign On (SSO) allows your users to authenticate with the password specified in your Azure Active Directory and allows your administrators to manage user credentials and privileges at a single location.

Users can be provisioned within Files.com based on criteria defined within your Azure Active Directory service. For example, you can specify that only users that are members of a specified Group should be provided with Files.com user accounts.

Integration with Azure Active Directory can be achieved using SAML, OAuth, or the LDAP protocol.

There are differences in functionality when choosing between SAML, OAuth, and LDAP. Generally speaking, the more modern SAML and OAuth standards are only designed to be used for web and cloud based applications whereas the older LDAP standard can be used by all types of applications but isn't as well integrated with web and cloud based applications. Some notable differences are:

SAML and OAuthLDAP

Files.com users can use AD password for web browser based access?

Yes

Yes

Files.com users can use AD password for FTP(S) / SFTP / WebDAV / API access?

No

Yes

Automated provisioning method (if configured)

Performed and managed by AD SCIM (recommended)

Performed and managed by Files.com

Provisioning user and group filtering (if configured)

Performed and managed by AD SCIM (recommended)

Performed and managed by Files.com

Provisioning interval

Real time

Hourly

Provisioning logs

Provided by Azure at the Azure AD Provisioning logs

Hourly sync logs available at Files.comSettings > Logs > External Logs

If you don't know which method to use, we recommend using the SAML method for integrating with Microsoft Azure Active Directory, and the SCIM method for user and group provisioning.

Azure SSO via LDAP

If you decide to use the LDAP method then Azure Active Directory will be integrated with in exactly the same way as with any other LDAP capable service, such as on-premises Active Directory.

Pre-requisites for using LDAP(S)

Before attempting to integrate using LDAP:

  • Make sure that your Azure AD is configured with LDAPS.
  • Do NOT use a self-signed TLS/SSL Certificate for LDAPS.
  • Do use a valid and chained TLS/SSL Certificate for LDAPS.

To configure LDAP based integration, refer to the LDAP/Active Directory integration documentation.

Azure SSO via SAML

Adding Files.com in Azure AD for SAML

After logging in to your Files.com account as an administrator, navigate to Settings > Users > User Settings > SSO Providers, and click the Add provider button. Click to select the Microsoft provider.

ClickCreate your own application.

Enter Files.com or the app name, and click the Create button.

Under Getting Started, click Set up single sign on.

Under Select a single sign-on method, click SAML.

In the Basic SAML Configuration box, click the Edit button.

Complete the form using the following values (leave other fields at their defaults):

FieldValue

Identifier (Entity ID)

https://app.files.com/saml/metadata

Reply URL (Assertion Consumer Service URL)

https://app.files.com/saml/consume

Relay State

SUBDOMAIN.files.com

(Replace SUBDOMAIN with your Files.com subdomain).

Click the Save button to apply the changes.

Lastly, copy the App Federation Metadata Url in the SAML Signing Certificate box. You will need this URL when adding Azure in Files.com.

Adding Azure AD in Files.com for SAML

After logging in to your Files.com account as an administrator, navigate to Settings > Authentication > SSO Providers, and click the Add provider button. Click to select the Microsoft provider.

In the Add provider form, select the Use SAML option, and paste the App Federation Metadata Url you copied from Azure into the Metadata URL for the SAML identity provider field.

Lastly, click the Save button to apply the change.

The Azure SSO method will now be available when assigning an authentication method for a user in Files.com, and the Sign in with Microsoft button will be displayed on your site's login page.

Azure SSO via OAuth

Adding Files.com in Azure AD for OAuth

After logging in to your Azure portal as an administrator, navigate to Azure Active Directory > App registrations and click the New registration button.

In the registration form, enter Files.com in the Name field, and enter the following URL in the Redirect URI field:

https://app.files.com/login_from_oauth?provider=azure

Click the Register button to complete the registration.

Next, copy both the Application (client) ID and Directory (tenant) ID by clicking the copy icon that appears when hovering your cursor over them, and make a note of these by pasting them into a text/document editor.

Next, to generate a client secret, click Certificates & secrets, and click the New client secret button.

In the dialog that appears, enter a Description and select the Expires option according to your preference.

Click the Add button to generate your client secret.

Next, use the copy icon next to the generated secret Value to copy it, and make a note of it along with your previously copied client and tenant IDs.

Adding Azure AD in Files.com for OAuth

After logging in to your Files.com account as an administrator, navigate to Settings > Users > User Settings > SSO Providers, and click the Add provider button. Click to select the Microsoft provider.

In the Add provider form:

  • Paste your Directory (tenant) ID copied from Azure into the Tenant ID field.
  • Paste your Application (client) ID copied from Azure into the Client ID field.
  • Paste your Client secret copied from Azure into the Client Secret field.

Lastly, click the Save button to apply the change.

The Azure SSO method will now be available when assigning an authentication method for a user in Files.com, and the Sign in with Microsoft button will be displayed on your site's login page.

Provisioning Users Automatically

There are two ways to automatically provision users via Azure AD.

SCIM Provisioning

SCIM Provisioning is a standard that allows your Users to be automatically provisioned in Files.com from your Azure AD identity source.

  1. Generate an access token in Files.com (Settings > Users > User Settings > SSO Providers > Azure > Enable automatic user provisioning via SCIM? > Token) and copy it. You provide this token to Azure Active Directory in a subsequent step. Alternatively, you can use Basic authentication method which is SCIM user name and password option also instead of token.
  2. In your Azure portal, go to Azure Active Directory > Enterprise Applications > Files.com.
  3. Under the Manage menu, click Provisioning.
  4. Set Provisioning Mode to Automatic.
  5. Enter the SCIM API endpoint URL: https://app.files.com/api/scim
  6. Set Secret Token to the access token that you generated in step 1.
  7. Click Test Connection and wait for the message that confirms that the credentials are authorized to enable provisioning.
  8. Click Save.

If you are using token based provisioning, by default the token will expire in a year from the date you generated it. You will receive an alert email from Files.com before your SCIM token is going to expire. You can always extend the expiry date of the SCIM provisioning Secret token in Files.com at Settings > Users > User Settings > SSO Providers > Azure > Enable automatic user provisioning via SCIM? > Token > Token Expiration. You can either enter new date in the Token Expiration text box or pick a new date from date picker UI and click Save.

In case you want to revoke the current token and get a new one because it got compromised or for any other reason, you can reset the token from Files.com at Settings > Users > User Settings > SSO Providers > Azure > Enable automatic user provisioning via SCIM? > Token > Reset Token. Once you reset the token and click on Save, new token will be generated and available for you to copy from the Token text box.

Just-In-Time (JIT) Provisioning

JIT Provisioning works by creating user records on Files.com upon their first successful login. This method is easier than SCIM, however, it suffers from one major limitation when used with Azure AD:

Azure AD erroneously communicates Group Names as their Group IDs rather than the actual Group Name. This means that users will be provisioned with a list of groups that shows up as UUIDs (long strings of characters). These groups will work, but they won't be easily understood.

Some customers use our API to retroactively rename those groups, however, this is not a clean solution. We strongly recommend SCIM provisioning instead if you need to provision group memberships from Azure AD.

This is a limitation of Azure AD itself, and not Files.com. JIT Provisioning works properly on Files.com for other SAML providers, including Okta, Auth0, and OneLogin.

JIT Provisioning will work if your Azure AD Users aren't members of any Groups, or if you disable Group provisioning via SAML.

Migrating Users from Active Directory/LDAP to Azure AD SSO

For Site Administrators currently using Active Directory/LDAP and needing to migrate their users to Azure AD SSO, we recommend the process below.

Before migrating, be aware that Azure AD SSO authentication with a password is only supported for browser-based sessions, or the Files.com Desktop app. SFTP and API authentication are supported using SFTP Keys or API Keys.

  1. Set up the Azure AD SSO provider (SAML) alongside your existing Active Directory/LDAP SSO provider.
  2. Test with an existing Active Directory/LDAP user by updating the user's Authentication method to "Azure" at Settings > Users > [Username] > Authentication, and verify that the user can log in successfully with the Sign in with Microsoft button.
  3. After confirming Azure SSO is working for a single user, update the authentication method for the remaining Active Directory/LDAP users to "Azure". If you have a large number of users, this can be accomplished with a script using one of our SDKS. Feel free to let us know if you require assistance with this step.
  4. Once all of your Active Directory/LDAP users have been updated to use the "Azure" authentication method, you may remove the Active Directory/LDAP SSO provider.

Differences between Active Directory/LDAP and Azure AD after migrating users

After migrating users from Active Directory/LDAP to Azure AD there will be some differences in behavior on the Files.com platform:

Active Directory/LDAPAzure AD

Can use AD/LDAP password for web browser based access?

Yes

Yes

Can use AD/LDAP password for FTP(S) / SFTP / WebDAV / API access?

Yes

No

Automated provisioning method (if configured)

Hourly sync

Immediate via SCIM (recommended)

Provisioning logs

Hourly sync logs available at Files.com Settings > Logs > External Logs

Provided by Azure at the Azure AD Provisioning logs

Troubleshooting

Username Changed in Azure AD

If a username has been changed within Azure Active Directory, the username change may not automatically update the username of the associated Files.com user. There are two easy ways to fix this.

In Files.com, a Site Administrator may update the user's account to match the username within Azure AD.

Alternatively, this can be completed within the Azure account by an administrator.

To do so:

  1. Sign in to your Azure portal.
  2. Navigate to All services > Enterprise applications.
  3. Select your application that the Files.com user is within, and then go to the provisioning configuration page.
  4. Select Provision on demand.
  5. Enter the username that has been updated, and select Provision at the bottom of the page.

Get Instant Access to Files.com

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.

Start My Free Trial

©2022 Files.com. All right reserved

FILES.COM

  • Start My Free Trial
  • Pricing
  • Docs
  • API and SDKs
  • Contact

CONTACT & SUPPORT

support@files.com

(800) 286-8372

Monday–Friday

9am–8pm Eastern