Before you begin

From the Cloudi-Fi interface, go to Settings > Auth modes and activate SAML for Administrators and get the following information:

The company hash is visible on your Cloudi-Fi account, go to Setting > Company Account > Cloudi-Fi Public Key

Set up SAML Single Sign-On

1. Add a SAML Configuration

From the AD FS management tool, right click AD FS from left panel and click Edit Federation Service Properties and get the value of Federation Service identifier.

Go back to Cloudi-Fi interface > Settings > Auth modes and paste the value in the Login Endpoint field.

From the AD FS management tool, go to AD FS > Service > Endpoints tab, search for and copy the URL path with a Type of SAML 2.0/WS-Federation.

Go back to Cloudi-Fi interface > Settings > Auth modes and paste the path prefixing it with your server URL (ex https://<mydomain.com>/adfs/ls) into the Entity ID field.

From the AD FS management tool, go to AD FS > Service > Certificates, click right the certificate under Token-signing and click on View Certificate. From the Certificate dialog, go to Details tab and click on Copy to File.

The Certificate export wizard opens, click Next and export the Certificate to Base-64 encoded X.509 (.CER)

Open the exported certificate file and copy (without "Begin Certificate" and "End certificate" markers). Go back to Cloudi-Fi interface and paste into the field IdP Signing Certificate (x509 format)

2. Create a relaying party trust

From the AD FS management tool, expand AD FS from left panel, select Relying Party Trusts and click Add Relying Party Trust.

Select Claims Aware and then select Enter data about relying party manually and click Next.

Give it name and a description and then click Next

On the Configure certificate, add the Cloudi-Fi SAML public certificate

On the Configure URL, select Enable support for the SAML 2.0 WebSSO protocol.

From Cloudi-Fi, copy Identifier (Entity ID) and past the value into Relying party SAML 2.0 SSO Service URL field and click Next.

From Cloudi-Fi interface, get the Reply URL (Assertion Consumer Service URL) and paste the value into Relying party trust identifier field and click add, then Next

From the access control policy lists, select Permit everyone and click Next.

Check the parameters on the Ready to Add Trust tab and click Next, and then Close the Wizard.

3. Edit claim rules

From the AD FS management tool, go to Relying Party Trust, right click on the relying party trust that you recently added and click Edit Claim Issuance Policy, and then add a new Rule.

Select Send LDAP Attributes as Claims

Give it a name and add the Mapping as following.

From Cloudi-Fi interface, configure as following :

Email Attribute name : Claim name corresponding to the email value.

Enable Administrator auto-provisioning and type the Claim name corresponding to the profile (or group) in the SAML Profile Attribute field.

The Group or profile value MUST be mono-valued.

If you have any questions, please contact us at support@cloudi-fi.com

Did this answer your question?