1

www.ezeep.com +1-720-253-1400 hello@ezeep.com

ContentsIntroduction ....................................................................................................................................................................................................2

Requirements .................................................................................................................................................................................................2

Setup Steps ...................................................................................................................................................................................................3

1.GetTokenSigningCertificate .....................................................................................................................................................3

2.CreateaSingleSignOnSettingssetinyourezeepPortal .......................................................................................................5

3. Enter SAML Settings ...................................................................................................................................................................6

4.CreateRelyingPartyTrust ..........................................................................................................................................................8

5.ConfigureClaimRules ............................................................................................................................................................. 10

5.1TransformanincomingClaim(EmailtoNameID) ........................................................................................ 12

5.2SendLDAPAttributesasClaim(Importantforgroupassignment) ............................................................ 14

6.SetupgroupsintheezeepPortal ........................................................................................................................................... 16

UserSign-On ................................................................................................................................................................................................ 17

Connecting ezeep to your Directory Service via SAML

2

www.ezeep.com +1-720-253-1400 hello@ezeep.com

IntroductionSAMListodaysstandardwhenitcomestoconnectingtheusermanagementofacloudservicewithadirectoryservice.ThismanualdescribesthestepsrequiredtoconnectanezeepaccounttoadirectoryservicelikeADFS,AzureActiveDirectory,PintIdentiy,miniOr-angeandothers.Whiletheconfigurationvariesbetweenthem,thefundamentalstepstoconnectarethesame.TheexamplesusedherearebasedonActiveDirectoryFederationServices.

Requirements•ezeepadministratoraccount•administratoraccountforyourdirectoryservice

3

www.ezeep.com +1-720-253-1400 hello@ezeep.com

Setup Steps 1. Get Token Signing CertificateFirst,weneedtogetthetoken-signingcertificatefromyourADFSserver.Wewillneedthistovalidatethattheincomingsecurityto-kenswereindeedcreatedbyyourADFSserverandnotmodifiedintransit.Microsoftstatesthatthepublic/privatekeypairingisthemostimportantvalidationmechanism.

Togetyourtoken-signingcertificate,goto

• ADFSManagementonyourADFSserver•UnderADFS/Service/CertificatesdoubleclickthevalueunderToken-signing•Underthetab“Details”choseCopytoFile...andexportthecertificateasBase-64encodedX.509(CER)• Storethefilesecurely,youwillneedtouploadittoourAdminportalinthenextstep

4

www.ezeep.com +1-720-253-1400 hello@ezeep.com

5

www.ezeep.com +1-720-253-1400 hello@ezeep.com

2. Create a Single Sign On Settings set in your ezeep Portal•Logintoyourezeepaccountasadministrator• Clickonyouraccount(youremailaddress/displaynameinourmenuontheleft)•UnderSingleSignOnyouwillfindthesettingsthatyouhavesetup(thereshouldbenoneyet)•Clickon“AddSSO”andchoseSAML2.0• A new popup will open with SAML settings

6

www.ezeep.com +1-720-253-1400 hello@ezeep.com

3. Enter SAML SettingsOurSAMLsettingsincludeallbasicsettingsthatyouneedtosetupforSAMLtoworkproperly.Enteryourspecificinformationandremembertosavethesettings.

Thistablecontainsthedetailsaboutthespecificsettings:

Setting Name Description Example

Name(RENAMEME)ThisisthenamethatwewillstoretheSAMLsetforyoutofind.Foryouraccountthisnameneedstobeunique.

"ThinPrintCloudSAMLSettings"

OrganizationIdentifier

ThisisyourOrganizationIDwhichisuniqueacrossourwholesolution.EachSAMLsettingneedsoneOrganizationID. WhenyourusersenterthisOrganizationIDat: https://accounts.ezeep.com/auth/signin/saml/ theywillbefollowingtheSAMLrulesetthatyousethereandforwardedtotheaccordingIdentityProvi-der Login URL.

ThinPrintCloud

EntityID TheentityIDofyourIdentityProvider. „http://adfsdc.cortsol.net/adfs/ services/trust“

IdentityProviderLoginURL

ThisistheloginURLofyouridentityproviderwhichinthiscaseisyourADFS.WhenusersenteryourOrganizationIDabovetheywillberedirectedtothisURL.

"https://adfsdc.cortsol.net/adfs/ls"

LoginBindingtype

Pickabindingtypeforyourloginrequests.ThissettingstateshowSAMLrequestandresponsemessagesaremapped.WerecommendtochoosetheHTTPredirectmethod.

•HTTPPost•HTTPredirect

Post„urn:cortsol:names:tc:SAML:2.0:bin-dings:HTTP-POST“

Redirect„urn:cortsol:names:tc:SAML:2.0:bin-dings:HTTP-Redirect“

IdentityProviderLogoutURLThisistheURLthatweredirecttheusertowhentheuseractivelywantstologoutofasessioninourportal.

"https://adfsdc.cortsol.net/adfs/ls/?wa=wsignout1.0"

LogoutBindingtype

Pickabindingtypeforyourlogoutrequests.ThissettingstateshowSAMLrequestandresponsemessagesaremapped.WerecommendtochoosetheHTTPredirectmethod.

•HTTPPost•HTTPredirect

Post„urn:cortsol:names:tc:SAML:2.0:bin-dings:HTTP-POST“

Redirect„urn:cortsol:names:tc:SAML:2.0:bin-dings:HTTP-Redirect“

IdentityProviderCertificate(Base64encoded)

Thisisthetoken-signingcertificatethatweexportedtofileinthefirststep„Get Token-Signing Certifica-te“.Youcanuploadithereforustostoresecurely.

„-----BEGINCERTIFICATE-----a++++R0XNd+bDaBH2Jqpdln0+//asdsa-dadasd=-----ENDCERTIFICATE-----“

7

www.ezeep.com +1-720-253-1400 hello@ezeep.com

8

www.ezeep.com +1-720-253-1400 hello@ezeep.com

4. Create Relying Party TrustTosetupezeepasanapplicationthatcanbetrustedbyyourADFS,youneedtocreateaRelyingPartyTrustonyourADFS.WehaveapreconfiguredxmlfileforyouthatcontainsallnecessaryinformationtoautomaticallyconfigureyourADFS.YoucanfinditaftersavingyourfirstSAMLSettingsontheSingleSignOnSettingsscreen.YoucaneithersavethelinktotheXMLsettings(wewillneeditontheADFSserverlater)orstorethewholefileincasethatyourADFSdoesnothaveaninternetconnection.

OntheADFSserver•OpenyourADFSManagementandgotoTrustRelationships/RelyingPartyTrusts•AddRelyingPartyTrust•IntheWizard,youcanimportdatabyenteringthelinkthatyousavedfromourportalorpointtothelocalxmlfilethatyoutransferredtotheserver

•YoucancheckthesettingsbycontinuingtheWizard

9

www.ezeep.com +1-720-253-1400 hello@ezeep.com

10

www.ezeep.com +1-720-253-1400 hello@ezeep.com

5. Configure Claim RulesWhenauserknocksonourportallogindoorwithaSAMLtoken,weconsiderthetokenandevaluatecertainattributesfromitandusethemaccordingly.Theseattributesneedtoidentifytheuserandtheezeepgroupstheusershouldbeamemberof.Thiswaywecandirectlymakeprintersaccessibletousersbasedonthegroupsandpoliciesthatexistinyourezeepportal.

ClaimRulesareusedtospecifytheseattributesintheSAMLtokens.ClaimRulesmapanattributefromyourActiveDirectoryuserobjecttoakeytheezeepserviceunderstands.Forinstance,youcanchoosewhichattributeyouwanttousetomapyouruserstoezeepgroupssoezeepcanperformtheassignmentautomaticallywhentheuserlogsin.

Ezeepislookingforthefollowingattributes:

Name Outgoing Claim Type Required Description Example

NameID NameID Yes

Needstobeine-mailformat.

WeusetheNameIDto identifyauser.

john@cortsol.net

groupshttp://schemas.microsoft.com/ws/ 2008/06/identity/claims/groups

Requiredforusersto print

The strings in groups will bematchedwiththenamestringsofgroupsthattheadmincreatedinourportal

cortsol.net\DomainUsers

Firstname first_name No,optionalWedisplaythefirstnamesinyourusersviewforyoutosearchforandfilterusers.

John

Lastname last_name No,optionalWedisplaythelastnamesinyourusersviewforyoutosearchforandfilterusers.

McClane

11

www.ezeep.com +1-720-253-1400 hello@ezeep.com

AttheendoftheRelyingPartyTrustWizardyoucandirectlyopentheEditClaimRulesdialog.Youwillneedittoconfigureyourusersettingsjustthewayyouwantthem.YoucanalsoopenthedialogwitharightclickonthenewlycreatedRelyingPartyTrustforezeepandclickonEditClaims:

12

www.ezeep.com +1-720-253-1400 hello@ezeep.com

5.1 Transform an incoming Claim (Email to NameID)

Thefirstrulesetalwaysmustbetheidentifieraswerequirethisattributetoidentifyauser.Werequiretohaveemailaddressesastheidentifierthatmustbeset.ForthisyoucanusetheClaimruletemplate“TransformanIncomingClaim”

InthetemplatesettheIncomingClaimastheE-MailAddressandtheoutgoingclaimtypeasNameIDwithE-Mailastheformat.Thiswilltakethee-mailaddressattributefromyouruserandmapittoNameIDsothatweknowthatthisistheattributewherewefindtheusersE-Mailaddress:

13

www.ezeep.com +1-720-253-1400 hello@ezeep.com

14

www.ezeep.com +1-720-253-1400 hello@ezeep.com

5.2 Send LDAP Attributes as Claim (Important for group assignment)

AsanextstepaddanotherClaimruleandchosethe“SendLDAPAttributesasClaims”template:

ThisopensatablewhereyoucanpickyourintendedADattributeontheleftandspecifytheoutgoingclaimontheright.

Yourusersalwaysprintpergrouprulesetsthatyoucansetinourezeepportal.Forustoassignthemtothecorrectgroups,youneedtochoosetheLDAPattributethatyouusefororganizingyourgroupsinyourADandmapthemtotheoutgoingclaimhttp://schemas.microsoft.com/ws/2008/06/identity/claims/groups:

15

www.ezeep.com +1-720-253-1400 hello@ezeep.com

16

www.ezeep.com +1-720-253-1400 hello@ezeep.com

6. Set up groups in the ezeep PortalIntheezeepportaltheusersareorganizedingroups.Groupshavepoliciesappliedtothem.Policiesdefineaccesstoprintersandprinterfeatures.Forthegroupsandpolicysystemtoworkproperly,theLDAPgroupattributehastocontaingroupinformationintheexactsameformat,theclaimrulesconfiguredinthepreviousstepcommunicates.

Hereareafewexamples:

AD Attribute Name ExampleToken-Groups-QualifiedbyDomainName •cortsol\DomainUsersToken-GroupsasSIDs •S-1-5-21-1206454754-1378802883-1802596162-513Token-Groups-QualifiedbyLongDomainName •cortsol.net\DomainUsersToken-Groups-UnqualifiedNames •DomainUsers

Is-Member-Of-DL •CN=Guests,CN=Builtin,DC=cortsol,DC=net•CN=Users,CN=Builtin,DC=cortsol,DC=net

ItisessentialthatyoucreatetheGroupsintheezeepportalwiththeexactsamestringasitisgoingoutfromyourAD.OurworkflowistoconsidertheSAMLtoken,checktheattribute“groups”andtrytoassigntheuserstotheezeepgroupswiththeexactlysamematchingstringsasnames.Therecanbemultiplegroupsintheattribute,wewilltrytomatchthemallwiththeezeepgroups.Ifwedonotfindthisgroupsetupbyyouinourportal,wewilljustignoreit.

ThischeckisperformedeverytimeauserlogsinwithaSAMLtoken.WemakesurethatwecleantheformergroupsassignedtoauserbeforeassigningthegroupsthatwefindinthenewSAMLtokensothatchangestogroupsareappliedeverytimeauserlogsinwithanewtoken.Thismakessurethatoldgroups,thattheuserwereassignedto,getunassignedwhenwedon’tfindthemintheSAMLtokenanymore.

17

www.ezeep.com +1-720-253-1400 hello@ezeep.com

User Sign-OnAfterezeepandthedirectoryservicearelinkedviaSAML,userscansimplygotoportal.ezeep.comandclickon“SigninwithOrgani-zationID”orgodirectlytohttps://accounts.ezeep.com/auth/signin/saml/

TheyneedtoentertheOrganizationIDthatyousetasOrganizationIdentifierintheezeepportal.

18

www.ezeep.com +1-720-253-1400 hello@ezeep.com

OncetheyentertheID,theywillberedirectedtothelinkyouprovidedasIdentityProviderLoginURL.

AftersuccessfulauthenticationonyourIdentityProvider,theywillberedirectedtotheportalandcanprintperthegroupsthatyouset up.