Here are the steps to configure the Liquidfiles application:
- Log into your On-Demand Tenant.
- Select SSO Manager.
Select the small green plus in the bottom right corner.
- Select Liquidfilesfrom the vertical list selection.
Enable the Application.
Select the appropriate Authentication Policy.
Select Protocol Setup.
Update the Assertation Consumer Service URL: https://files.example.com/saml/init
Update the Service entitiy ID (Issuer):https://files.example.com/saml/consume
AuthAnvilAssertion Consumer Service URL
Select Add Application.
Configure the LiquidFiles Virtual Appliance for Single Sign On
- Log into the LiquidFiles Virtual Appliance with an administrative account.
- Navigate to the Admin section and select Single Sign-On from the left menu.
- Specify the Protocol as SAML 2
- Set the IdP Login URL to the SP-Init endpoint in AuthAnvilOn-demand
This URL is located athttps://(Your On-Demand tenant)/sso/federation/passive/Saml2SPInit
- Set the Logout URL to the AuthAnvil Single Sign On Single Sign Out URL (bit of a tongue twister, eh?). This URL is located at https://(Your On-Demand tenant)/sso/federation/passive/signout.
- Specify the thumbprint from the Signing Certificate in the application configuration in AuthAnvil Single Sign On. You can find this by navigating to the LiquidFiles application in AuthAnvil Manager and opening the Certificate Authority section. The thumbprint can be copied directly into the LiquidFiles configuration.
- Finally, modify the Authentication Context tourn:oasis:names:tc:SAML:2.0:ac:classes:Password. Otherwise, you will be prompted to elevate credentials within AuthAnvil Single Sign On.
Why do we do this?
By default AuthAnvil Single Sign on issues tokens specifying the user was authenticated with a password. This is for compatibility reasons as most federated applications expect it. If you left the value as is, AuthAnvil Single Sign On would issue a token specifying password, LiquidFiles would compare the value in the token and since its not what its expecting it requests AuthAnvil to reissue a new token. AuthAnvil Single Sign On currently allows authentication via the AuthAnvil Two Factor Auth system so in our case an elevation is simply a re-authentication of a users OTP.
If you dont want to modify the Authn Context in LiquidFiles and do not want to require elevation in AuthAnvil Single Sign On, contact support to reconfigure the authentication type for the LiquidFiles application in AuthAnvil Single Sign On.
- Savethe changes and try logging into LiquidFiles from the AuthAnvil Single Sign On portal. You should see the application in the list.