LDAP/Active Directory SSO
Files.com provides integration with directory services, using the LDAP protocol, enabling user authentication and user provisioning from your directory service.
Implementing Single Sign On (SSO) allows your users to authenticate with the password specified in your corporate directory and allows your administrators to manage user credentials and privileges at a single location.
Users can be provisioned within Files.com based on criteria defined within your directory service. For example, you can specify that only users that are members of a specified Group should be provided with Files.com user accounts.
Supported directory services include Active Directory, Apache Directory Server, OpenLDAP and any other LDAP compliant directory service.
Single Sign On (SSO) allows your users to use their existing corporate credentials to access Files.com, rather than needing to have separate credentials.
When Single Sign On (SSO) is configured, user passwords will be sent to your directory service for authentication. Users will only be allowed to log in to Files.com provided the supplied password matches what is held in your directory service.
This applies to login attempts made using the Files.com web portal or any of the connection protocols, such as FTP, SFTP, WebDAV, Files.com Desktop App, Mobile App, and API.
User provisioning allows existing users and groups within your directory service to be created automatically within Files.com.
This removes the need for your administrators to have to manually create users and groups within Files.com that have already been created within your directory service.
Once configured, provisioning occurs every 60 minutes.
Files.com will connect to your directory service using the LDAP protocol and supports the use of secure LDAPS (port 636) and non-secure LDAP (port 389).
Please make sure that your firewall is configured to allow inbound connections to your directory service from Files.com.
If your firewall is only capable of whitelisting or blacklisting using IP addresses, rather than domain names, then please refer to our published list of current IP addresses used by Files.com.
Port numbers are configurable, allowing you to use non-standard ports if required. Although 636 and 389 are standard, we recommend obfuscating your LDAP ports so that port scanners and bots cannot find your LDAP connection port easily.
We strongly recommend using secure LDAPS (port 636) rather than LDAP (port 389) so that your information is encrypted using TLS/SSL in transit between your directory service and Files.com.
When using LDAPS, make sure that you:
- use a valid and chained SSL Certificate.
- do not use a self-signed SSL Certificate.
- do not configure your firewall to tamper with, or re-write, any transmitted data or data headers.
If your Active Directory server does not provide a secure connection, please follow Microsoft's instructions for enabling LDAPS on a Microsoft Active Directory server to enable it.
Files.com will need login credentials in order to connect to your directory service and will be limited to the access privileges of the specified account.
We recommend that you create a "service account" login for Files.com and provide it with access permissions to areas of your directory that you wish to use for Single Sign On (SSO) and user provisioning.
To configure Single Sign On (SSO) with LDAP/Active Directory:
- navigate to Settings > Users > User Settings, and click the Add provider button in the SSO Providers section.
- select Active Directory/LDAP from the list of providers.
- complete the form and click Save.
The items and fields in the form are:
- Use this switch to enable and disable the connection to your directory service.
- This can be used to quickly disable your LDAP users from logging in to Files.com.
- The Fully Qualified Domain Name (FQDN) or IP address of your Active Directory/LDAP server.
- Add Backup Host
- You can add the backup Active Directory/LDAP server to use if the primary isn't reachable. Files.com will then automatically connect to the Backup host when the main server (Host) cannot be reached. The Backup host must be a replica of the main server (Host).
- Uses URL nomenclature. For example, ldaps://www.mysite.com:636
- The port to be used to connect to your Active Directory/LDAP server.
- Secure connection
- Specifies whether secure LDAPS or non-secure LDAP will be used to connect.
- Username Field
- Specifies the Active Directory/LDAP field to be used to match the login attempt to Files.com.
- Typically sAMAccountName is the most commonly used but userPrincipleName is provided as an alternative option.
- Active Directory limits the sAMAccountName attribute to 20 characters so usernames synchronized from Active Directory will be limited to 20 characters (not including the domain).
- The userPrincipalName attribute is not subject to this 20 character limitation.
- Check with your Active Directory/LDAP server administrator to see which field is used by your organization.
- The username that Files.com will use to login to your Active Directory/LDAP server.
- For example, mydomain\Administrator
- Check with your Active Directory/LDAP server administrator that this user has access permissions to read the user and group items in your directory.
- The password that Files.com will use to login to your Active Directory/LDAP server.
- Distinguished Name · Base Search Path
- The Distinguished Name (DN) of the location to begin searches within your directory.
- For example, CN=Users,DC=mydomain,DC=local
- Searches will only find items at or below this location in your directory.
- The domain suffix to be added to Files.com usernames.
- This is used to make sure that usernames are unique.
- For example, specifying local.mydomain.com will create usernames as "email@example.com".
The above settings will allow users created within your Files.com account to use their Active Directory/LDAP password to authenticate.
However, note that the user must already exist within Files.com and the username must match exactly the pattern specified in the above settings. For example, if you specified sAMAccountName as the LDAP username field and mydomain.com as the domain suffix, then a user in your directory named janedoe would need a corresponding Files.com user account named firstname.lastname@example.org to exist in order to be able to log in.
To access the provisioning options, in the above form click the Show more link.
The additional items and fields shown are:
- Enable automatic user provisioning via SCIM?
- Allows you to use the System for Cross-domain Identity Management (SCIM) protocol for provisioning.
- Select Basic to specify a SCIM username and password to use.
- Select Token and specify an expiration date to use a SCIM token.
- Automatically provision users on first login?
- Causes users to be automatically provisioned when they attempt to log in to Files.com for the first time.
- Automatically deprovision users?
- Causes users to be automatically deprovisioned if they can no longer be found in your Active Directory/LDAP when the next synchronization occurs.
- Automatically provision group memberships?
- Causes users to be automatically placed into Groups based on their group membership settings within your Active Directory/LDAP system.
- Automatically deprovision group memberships?
- Causes users to be automatically removed from Groups if they no longer belong to the corresponding groups in your Active Directory/LDAP when the next synchronization occurs.
- Method used for deprovisioning users?
- Specifies whether deprovisioned users should be deleted or disabled within Files.com.
- We recommend that users be disabled, rather than deleted, in case you need to audit their prior activity, history, and settings.
- Provision company
- Sets the "Company" attribute in the Files.com user profile of the provisioned user.
- Add users to these default groups on first login
- Causes provisioned users to be automatically placed into these specified Files.com Groups when they first log in.
- Only provision users in these groups
- Limits the provisioning of users to only users that are a member of the Active Directory/LDAP groups specified.
- For example, to limit provisioning to only the Active Directory/LDAP users that are members of the Cloud and Support groups, specify "Cloud,Support".
- Only provision these groups
- Limits the provisioning of Active Directory/LDAP groups to only the groups specified.
- Exclude these groups from provisioning
- Causes the specified groups to be excluded from being provisioned within Files.com.
- Provision users in these groups to be site admins
- Causes users in the specified groups to be provisioned with Administrator privileges within Files.com.
- For example, to cause Active Directory/LDAP users that are members of the Administrators and Domain Admins groups to be given Administrator privileges within Files.com, specify "Administrators,Domain Admins".
- Provision users in these groups to manage their password via Files.com
- Causes users in the specified groups to be provisioned without Single Sign On (SSO) requirements, meaning that their password will be held within Files.com and the Active Directory/LDAP password will not be used.
- Auto-provisioned users with WebDAV permissions
- Specifies whether the provisioned users have permission to use the WebDAV protocol to connect to Files.com.
- Auto-provisioned users with FTP permissions
- Specifies whether the provisioned users have permission to use the FTP and FTPS protocols to connect to Files.com.
- Auto-provisioned users with SFTP permissions
- Specifies whether the provisioned users have permission to use the SFTP protocol to connect to Files.com.
- Default time zone for auto provisioned users
- Specifies the time zone attribute in the Files.com user profile of the provisioned user.
Click Save to save your configuration and begin synchronizing your LDAP users and groups.
Each time you click Save a synchronization will occur and will continue to occur every 60 minutes.
There are several items that can cause Single Sign On (SSO) or provisioning issues, such as:
- Invalid or expired SSL Certificates
- Invalid or expired access credentials to Active Directory/LDAP
- Incorrect permissions to Active Directory/LDAP
- Firewall settings
- Incorrect Group Memberships
- Incorrect Distinguished Name (DN) settings
When using a secure LDAPS connection to your Active Directory/LDAP server, check that:
- The SSL Certificate is not expired.
- Use an online SSL Certificate checker, such as SSL Shopper.
- The SSL Certificate is valid and chained. Do not use Self-Signed Certificates.
Files.com connects to your Active Directory/LDAP server using the credentials you supplied.
Make sure that these credentials:
If possible, test using new credentials to verify if the access problem lies with a single set of credentials or all credentials.
Files.com connects to your Active Directory/LDAP server using the credentials you supplied.
Make sure that these credentials:
- Have access permissions to the parts of the directory that user and group items are contained within.
- Have, at minimum, read permissions to the parts of the directory that user and group items are contained within.
If possible, test using new credentials to verify if the problem lies with the permissions of a single set of credentials or all credentials.
Files.com connects to your Active Directory/LDAP server using the LDAPS or LDAP port that you specified.
Make sure that these ports:
- Are not being blocked by your firewall.
- From outside your corporate network, try using an LDAP tool to connect, such as:
- ADExplorer (Windows)
- ldapsearch (Linux)
- Are not being "packet inspected" by your firewall
- If the packet inspection is re-writing any part of the data transmission, or its headers, then the TLS/SSL transport encryption will see this as a man-in-the-middle attack and terminate the connection.
Files.com will try to provision users and groups based on the configuration you provided.
If no users, or only a subset of users, are being provisioned then check your configuration to make sure that:
- You entered the correct Group names
- Within your Active Directory/LDAP, the users you wish to provision are indeed members of the specified Groups.
- Check the "memberOf" attribute of the Active Directory/LDAP users.
Files.com will try to provision users and groups based on the configuration you provided. The Distinguished Name (DN) specifies the part of the directory that Files.com has access to. Files.com will only be able to search within the Distinguished Name (DN) location.
- You have specified the correct Distinguished Name (DN).
- For example, CN=Users,DC=mydomain,DC=local is not the same as OU=Users,DC=mydomain,DC=local.
- The users and groups exist within this Distinguished Name (DN) location,
Get Instant Access to Files.com
The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.Start My Free Trial