10.6 Configuring Single Sign-On with KeyShield

10.6.1 Prerequisites

For Filr to work with an existing KeyShield installation, you must have the following already in place.

  • A KeyShield SSO server that is registered with DNS and provides single sign-on services to your network users.

  • An API Key that is displayed in a defined API Authorization configuration.

  • One or more Authentication Connectors (defined on the KeyShield server) that are allowed to be used with the API Key.

  • Administrative Access to the KeyShield server for obtaining the following:

    • The API Authorization Key associated with the KeyShield Connectors you are leveraging for Filr

    • The SSL certificate, downloadable as a .CER file for importing into the Filr keystore.

10.6.2 (Conditional) Allowing the Authorization Connectors to Access the API Key

Continuing in the General tab (accessed in the previous section), if access to the KeyShield SSO APIs is restricted to users on specific connectors, ensure that the connectors that your Filr users will be connecting through are listed by doing the following:

  1. If the connectors your users will use are not listed, click the bar below the already-allowed connectors.

  2. Select the connectors for your users, then click OK.

10.6.3 Configuring Filr for KeyShield SSO Support

  1. Open a new tab or a new browser session to access Filr on port 8443:

    https://filr-ip-address-or-dns-name:8443

    For example https:192.168.30.150:8443

    Having a new session will let you easily switch between the KeyShield administration console and the Filr Administration console.

  2. In the new browser session, log in to Filr as an administrator.

  3. Click the admin link in the upper-right corner of the page, then click the Administration Console icon .

  4. In the left frame, click KeyShield SSO.

  5. In the KeyShield SSO Configuration dialog, click Enable KeyShield SSO.

  6. In the KeyShield Server URL field, type the access URL for the KeyShield server:

    https://ks-server-dns-name_or_ip-address:ks-server-https-port/

    For example,

  7. Switch to the KeyShield browser-based console, toggle open the API Key, then select and copy the key to your clipboard.

  8. Switch to the Filr Administration panel and paste the API Key into the API Authorization field.

  9. The HTTP Connection Timeout controls how long the Filr Appliance will wait for a response from the KeyShield server before prompting users for their login credentials.

    Novell doesn’t recommend changing this value unless the connection between the Filr Appliance and the KeyShield SSO server doesn’t facilitate a quick response. For example the appliance and server are connected over a WAN.

  10. In the Connector Names field, type the names of each KeyShield SSO connector that Filr users will connect through.

  11. Continue with the next section, KeyShield Attribute Alias Support.

10.6.4 KeyShield Attribute Alias Support

Filr lets administrators provision users from different LDAP sources, such as eDirectory and Active Directory. It also allows for flexibility in specifying which LDAP attribute will be imported as the Filr username.

In addition to Filr, organizations have email applications, RADIUS clients, and so on, that use different LDAP attributes for their usernames.

KeyShield 6 includes support for Attribute Aliases. These let KeyShield match username validation requests from each application with the LDAP attribute that the application uses for its usernames.

A Filr Example

  1. Jane Smith logs in through KeyShield’s SSO service using jsmith (her UID in LDAP) as her Username.

  2. Jane then launches Filr.

    Unfortunately, the Filr administrator who configured the LDAP import, specified CN as the LDAP username attribute and JaneSmith was impoted as Jane’s Filr username.

  3. When Filr tries to authenticate Jane Smith, KeyShield doesn’t find her as an authenticated user and the attempt fails.

    Jane is then prompted to log in to Filr.

  4. To fix the mismatch of LDAP attributes, Jane’s KeyShield administrator adds x-filr = cn as an Attribute Alias in Keyshield.

  5. Jane’s Filr administrator adds x-filr as the Username Attribute Alias in Filr.

  6. The next time Jane launches Filr after signing in through KeyShield’ SSO service, KeyShield verifies to Filr that JaneSmith is authenticated and no additional login is required.

Configuring Attribute Alias Support

  1. In Keyshield, specify the appropriate Attribute Alias for each Authentication Connector.

    For example, if your Filr deployment uses the CN attribute as the username for an eDirectory server that is defined as an Authentication Connector in KeyShield, then in the Attribute Alias field in the connector configuration, you would specify

    x-filr = cn

    This means that for this Authentication Connector, when authentication verification requests arrive with the Attribute Alias x-filr, KeyShield needs to request a match in the CN attributes in the targeted eDirectory Authentication Connector.

  2. By default, the Filr 2.0 KeyShield SSO Configuration dialog, the Username Attribute Alias is set to x-filr.

    We strongly recommend that you not change this value. However, if you do, be sure that the name is changed in each KeyShield Authentication Connector configuration as well.

  3. Continue with Configuring Two-Factor Authentication.

10.6.5 Configuring Two-Factor Authentication

KeyShield 6.1 adds the ability to require a hardware token in addition to usernames and passwords for LDAP users seeking access through a web browser or WebDAV.

NOTE:Two-factor authentication doesn’t apply to desktop or mobile device applications.

Filr 2.0 supports KeyShield’s two-factor authentication capability through two new options in the KeyShield SSO Configuration dialog:

  • Require Hardware Token: Requires a physical token, such as an access card, for access to Filr.

    You can also specify the error messages that you want displayed when the required token is either not presented or not recognized by KeyShield for web browser or WebDAV access.

  • Allow Username/Password based Fallback Authentication (non-SSO) for LDAP Users: Allows authentication by entering a username and password as an alternative to the hardware token.

    Use this option if you want users to be able to effectively bypass the hardware token requirement by typing in their username and password.

  1. If you want to configure two-factor authentication for your KeyShield 6.1 SSO service, select the options and specify the text accordingly.

  2. Click Test Connection.

    Because the Filr appliance doesn’t yet have the KeyShield SSO SSL certificate in its keystore, the test fails.

  3. Continue with Section 10.6.6, Downloading and Installing the KeyShield SSO SSL Certificate

10.6.6 Downloading and Installing the KeyShield SSO SSL Certificate

  1. Open a third browser session and access the Filr appliance on port 9443:

    https://filr-ip-address-or-dns-name:9443

    For example https:192.168.30.150:9443

  2. Log in as vaadmin.

  3. Switch to the KeyShield browser-based console and under General/Web Interface, click Edit.

  4. Click the Download button for the HTTPS Keystore.

  5. Save the Keyshield.cer file on the workstation running the browser.

  6. Switch to the browser session opened in Step 1 and click the Appliance Configuration icon.

  7. Click the Digital Certificates icon.

  8. Click File > Import > Trusted Certificate.

  9. Click Browse, then browse to the location where you saved the Keyshield.cer file and click Open.

  10. Click OK to import the certificate file.

  11. Acknowledge the message about restarting the appliance by clicking OK.

  12. Click the back arrow in the browser, then select Reboot.

  13. After the system restarts, continue with the next section, Testing the KeyShield SSO Configuration.

10.6.7 Testing the KeyShield SSO Configuration

  1. Switch back to the Filr administration console (port 8443).

  2. Click Test Connection.

    The test should succeed.

  3. Click OK to finalize the configuration and complete the Keyshield SSO integration.