LDAP/Active Directory SSO
Files.com provides integration with directory services using the LDAP protocol, enabling user authentication and user provisioning from your directory service. Files.com supports secure LDAP (sometimes referred to as SLDAP) using the LDAPS protocol to ensure secure LDAP communication through SSL/TLS encryption on a dedicated port.
Implementing Single Sign-On (SSO) allows your users to authenticate with the password specified in your corporate directory and permits your administrators to manage user credentials and privileges at a single location.
Users can be provisioned within Files.com based on criteria defined within your directory service. For example, you can specify that only users who are members of a specified group should be provided with Files.com user accounts.
Supported directory services include Active Directory, Apache Directory Server, OpenLDAP, and any other LDAP-compliant directory service.
Single Sign On (SSO)
Single Sign On (SSO) allows your users to use their existing corporate credentials to access Files.com, rather than needing to have separate credentials.
When Single Sign On (SSO) is configured, user passwords will be sent to your directory service for authentication. Users will only be allowed to log in to Files.com provided the supplied password matches what is held in your directory service.
This applies to login attempts made using the Files.com web portal or any of the connection protocols, such as FTP, SFTP, WebDAV, Files.com Desktop App, Mobile App, and API.
Automatic User Provisioning
User provisioning allows existing users and groups within your directory service to be created automatically within Files.com.
This removes the need for your administrators to have to manually create users and groups within Files.com that have already been created within your directory service.
Once configured, provisioning occurs every 60 minutes.
Pre-requisites for Connection
Files.com will connect to your directory service using the LDAP protocol and supports the use of secure LDAPS (port 636) and non-secure LDAP (port 389).
Firewalls
Please make sure that your firewall is configured to allow inbound connections to your directory service from Files.com.
If your firewall is only capable of whitelisting or blacklisting using IP addresses, rather than domain names, then please refer to our published list of current IP addresses used by Files.com.
Ports
Port numbers are configurable, allowing you to use non-standard ports if required. Although 636 and 389 are standard, we recommend obfuscating your LDAP ports so that port scanners and bots cannot find your LDAP connection port easily.
TLS/SSL security
Files.com facilitates secure LDAP through the use of the LDAPS protocol, guaranteeing encrypted LDAP communication via SSL/TLS on a dedicated port. We strongly recommend using secure LDAPS (port 636) rather than LDAP (port 389) so that your information is encrypted using TLS/SSL in transit between your directory service and Files.com.
When using LDAPS, make sure that you use a valid and chained SSL Certificate. Do not use a self-signed SSL Certificate and do not configure your firewall to tamper with, or re-write, any transmitted data or data headers.
If your Active Directory server does not provide a secure connection, please follow Microsoft's instructions for enabling LDAPS on a Microsoft Active Directory server to enable it.
LDAP access credentials
Files.com will need login credentials in order to connect to your directory service and will be limited to the access privileges of the specified account.
We recommend that you create a "service account" login for Files.com and provide it with access permissions to areas of your directory that you wish to use for Single Sign On (SSO) and user provisioning.
Configuring SSO with LDAP/Active Directory
To configure Single Sign On (SSO) with LDAP/Active Directory, type "SSO Providers" in the search box at the top of every page and then click on the matching result. Click the Add provider button. Click to select Active Directory/LDAP from the list of providers. Complete the form and click Save.
The items and fields in the form are as below:
| Field Name | Details |
|---|---|
| Enabled | Use this switch to enable and disable the connection to your directory service. This can be used to quickly disable your LDAP users from logging in to Files.com. |
| Host | The Fully Qualified Domain Name (FQDN) or IP address of your Active Directory/LDAP server. |
| Add Backup Host | You can add the backup Active Directory/LDAP server to use if the primary isn't reachable. Files.com will then automatically connect to the Backup host when the main server (Host) cannot be reached. The Backup host must be a replica of the main server (Host). Uses URL nomenclature. For example: ldaps://www.mysite.com:636. |
| Port | The port to be used to connect to your Active Directory/LDAP server. |
| Secure Connection | Specifies whether secure LDAPS or non-secure LDAP will be used to connect. |
| Username Field | Specifies the Active Directory/LDAP field to be used to match the login attempt to Files.com. Typically sAMAccountName is the most commonly used but userPrincipalName is provided as an alternative option.Active Directory limits the sAMAccountName attribute to 20 characters so usernames synchronized from Active Directory will be limited to 20 characters (not including the domain). The userPrincipalName attribute is not subject to this 20 character limitation. Check with your Active Directory/LDAP server administrator to see which field is used by your organization. |
| Username | The username that Files.com will use to login to your Active Directory/LDAP server. For example: Check with your Active Directory/LDAP server administrator that this user has access permissions to read the user and group items in your directory. |
| Password | The password that Files.com will use to login to your Active Directory/LDAP server. |
| Distinguished Name · Base Search Path | The Distinguished Name (DN) of the location to begin searches within your directory. For example: Searches will only find items at or below this location in your directory. |
| Domain | The domain suffix to be added to Files.com usernames. This is used to make sure that usernames are unique. For example, specifying local.mydomain.com will create usernames as user@local.mydomain.com. |
The above settings will allow users created within your Files.com account to use their Active Directory/LDAP password to authenticate.
However, note that the user must already exist within Files.com and the username must match exactly the pattern specified in the above settings. For example, if you specified sAMAccountName as the LDAP username field and mydomain.com as the domain suffix, then a user in your directory named janedoe would need a corresponding Files.com user account named janedoe@mydomain.com to exist in order to be able to log in.
It is strongly recommended to keep at least one site administrator with the password option as the authentication method, rather than assigning all to SSO, to prevent being locked out of Files.com in case of IdP or SSO issues.
Configuring Automatic Provisioning
Files.com offers various automatic provisioning configuration options when you integrate your Active Directory/LDAP using SCIM Provisioning. Each time you configure and save the automatic provisioning options_,_ a synchronization will occur and will continue to occur every 60 minutes.
Troubleshooting
There are several items that can cause Single Sign On (SSO) or provisioning issues, such as:
Invalid or expired SSL Certificates
When using a secure LDAPS connection to your Active Directory/LDAP server, check that the SSL Certificate is not expired. Use an online SSL Certificate checker, such as SSL Shopper. Make sure that the SSL Certificate is valid and chained. Do not use Self-Signed Certificates.
Invalid or expired access credentials to Active Directory/LDAP
Files.com connects to your Active Directory/LDAP server using the credentials you supplied.
Make sure that these credentials are valid and can be used to log in to Active Directory/LDAP using another LDAP tool such as: ADExplorer (Windows) or ldapsearch (Linux).
If possible, test using new credentials to verify if the access problem lies with a single set of credentials or all credentials.
Incorrect permissions to Active Directory/LDAP
Files.com connects to your Active Directory/LDAP server using the credentials you supplied.
Make sure that these credentials have access permissions to the parts of the directory that user and group items are contained within and, at minimum, read permissions to the parts of the directory that user and group items are contained within.
If possible, test using new credentials to verify if the problem lies with the permissions of a single set of credentials or all credentials.
Firewall settings
Files.com connects to your Active Directory/LDAP server using the LDAPS or LDAP port that you specified. Make sure that these ports are not being blocked by your firewall. - From outside your corporate network, try using an LDAP tool to connect, such as: ADExplorer (Windows) or ldapsearch (Linux). Make sure these ports are not being "packet inspected" by your firewall - If the packet inspection is re-writing any part of the data transmission, or its headers, then the TLS/SSL transport encryption will see this as a man-in-the-middle attack and terminate the connection.
Incorrect Group Memberships
Files.com will try to provision users and groups based on the configuration you provided.
If no users, or only a subset of users, are being provisioned then check your configuration to make sure that you entered the correct Group names and, make sure that within your Active Directory/LDAP, the users you wish to provision are indeed members of the specified Groups. Lastly, check the memberOf attribute of the Active Directory/LDAP users.
Incorrect Distinguished Name (DN) settings
Files.com will try to provision users and groups based on the configuration you provided. The Distinguished Name (DN) specifies the part of the directory that Files.com has access to. Files.com will only be able to search within the Distinguished Name (DN) location.
Make sure that you have specified the correct Distinguished Name (DN). For example, CN=Users,DC=mydomain,DC=local is not the same as OU=Users,DC=mydomain,DC=local. Also, make sure that the users and groups exist within this Distinguished Name (DN) location.