Below is a guide for manually configuring SSO between Azure AD and Cerberus FTP Server.
Before we Begin
For your convenience, it is recommended that you have the following screens open at the same time:
- Cerberus FTP Server admin console
- Azure AD directory console
Note that settings will be exchanged between the two.
The first few steps establish the beginnings of both the Azure AD and Cerberus FTP Server configurations. Following that, we synchronize important options between the two. Finally, we wrap up independent configuration on either side and test Single Sign On.
- Create the Azure AD Enterprise Application (Enterprise App)
- Create the Cerberus FTP Server SSO Configuration (SSO Config)
- Combined Configuration of the Enterprise App and SSO Config
- Complete SSO Config Settings
- Add Users and Groups to the Enterprise App
- Test Single Sign On
- Known Issues
Create the Azure AD Enterprise Application (Enterprise App)
- From the Directory Server home, click the Enterprise Applications item in the left navigation bar:
- From the Enterprise Applications console, click + New application:
- Click Create your own application:
- In the Create your own application dialog, choose the Integrate any other application you don’t find in the gallery (Non-gallery) option. Give the application a descriptive name and click Create:
- The application will be created and its configuration page will appear. Click the Set up single sign on item:
- Then choose SAML from the next dialog:
- The next page shows the list of configuration options that must be synchronized between the Enterprise App and the SSO Config:
Leave this page open for now, while you create the Cerberus FTP Server SSO Configuration
Create the Cerberus FTP Server SSO Configuration (SSO Config)
- In the Cerberus Admin Console, click the SSO Users item from the left navigation bar:
- Click the New SSO button:
- In the Add a New SSO Configuration dialog, enter a descriptive name and click the Add button. When configuration is complete, this name will appear as an SSO option on the Cerberus FTP Server login page. Choose a name that your end-users will recognize and understand:
- Click the SSO Configuration tab. This displays configuration options that must be synchronized between the Enterprise App and the SSO Config:
Combined Configuration of the Enterprise App and the SSO Config
The following configurations must be changed in both the Enterprise App and the SSO Config:
- Entity ID
- Reply URL
- Add Group Membership Claim
- Signing Certificate
- Login URL, Azure AD Identifier, and Logout URL
The Entity ID is a simple string that identifies the Enterprise Application. It must be unique among all applications in the Azure AD directory. Cerberus FTP Server must be informed of its value to validate SAML messages.
- In the Enterprise App, set the Identifier (Entity ID) to a descriptive name that is for your Azure AD directory. Azure AD rejects IDs containing space-characters or resembling GUID values. Duplicate this name in the SSO Config under Basic SAML Configuration -> Entity ID:
The Reply URL is the URL that Azure AD uses to send SAML messages. This URL must be routed to a Cerberus FTP Server HTTPS Listener.
- In SSO Config, create at least one Reply URL. The URL must be accessible to Azure AD and end in /saml/acs. It must route to an active HTTPS Listener in Cerberus FTP Server.
A pull-down populated with known external host names is provided. Select a host name, choose an external port, and click the plus (+) button:
You may edit the resulting URL, should the desired hostname or port number be incorrect. The URL must, however, end in /saml/acs to function correctly.
- Repeat the above step for every hostname and port combination you expect your SSO users to access:
- Replicate each Reply URL the SSO Config to the Enterprise App:
- Click Save in the Enterprise App, and close the editing pane. If prompted to test, click No, I’ll test later:
Group Membership Claim
To map virtual directories and permissions during SSO authentication, Azure AD must inform Cerberus FTP Server of the user’s group membership. This information is not provided by Azure AD’s default configuration, so it must be added explicitly.
Azure AD allows you to choose the scope of group membership it shares with Cerberus when SSO authentication takes place. In the below example, we’ve chosen the most conservative option, “Groups assigned to the application”. Choose the right option for your own environment.
- In the Enterprise App, under the Attributes & Claims heading, click the Edit button:
- In the subsequent Attributes & Claims page, click the Add a group claim button:
- In the subsequent Group Claims dialog, choose Groups assigned to the application, with Source Attribute set to Group ID and click the Save button:
Update Claims to Use ‘localuserprincipalname’ Property
SSO users are identified in different ways by Azure AD depending on where they originate from. This inconsistency hinders Cerberus FTP Server’s ability to enforce access policies correctly. Using the “localuserprincipalname” property to identify SSO users ensures that all types of SSO users have consistent naming.
- Under Attributes & Claims click the Unique User Identifier (Name ID) item:
- In the subsequent Manage claim dialog, change the Source attribute from user.userprincipalname to user.localuserprincipalname and click Save.
- Back in Attributes & Claims click the item labeled http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- Again, in Manage claim, change the Source attribute from user.userprincipalname to user.localuserprincipalname and click Save
Claims & Attributes should look like this after the above changes:
Synchronize User Attributes
Azure AD allows customization of the User Attributes asserted in the SAML message. Cerberus FTP Server version 13.1 and later allow configuration of the user attributes in the SSO Config match any settings required by the Enterprise App. In the SSO Config, see the Attributes & Claims section:
These fields are pre-populated with the Azure AD default values. In rare cases, the SSO Config may need to be modified to match settings in the Enterprise App.
Cerberus FTP Server requires that SAML SSO messages be signed by a trusted source, so it must be provided with the Token signing certificate generated by Azure AD. Additionally, Azure AD must be instructed to sign both Responses and Assertions, as required by Cerberus FTP Server.
- In the Enterprise App, under the SAML Certificates heading, click the Edit button:
- The SAML Signing Certificate dialog should appear. Click the Signing Option pull-down and select Sign SAML response and assertion:
- Click the … button beside the Active certificate and choose Base64 certificate download.
- Save the certificate and note its location for later:
- Click the Save button on the SAML Signing Certificate editor
- Back in the Cerberus SSO Config click the Upload button in Basic SAML Configuration -> Certificate:
- Choose the previously saved certificate. The Certificate field will expand to display certificate information. Confirm that the Thumbprint matches the active certificate in the Enterprise App in step #4 above
At the end of these steps, the SAML-based Sign-on summary page should have the following changes:
Login URL, Azure AD Identifier, and Logout URL
These URLs are used by Cerberus FTP Server to validate SAML messages and begin login and logout processes with Azure AD.
- In the Enterprise App, under the heading Set up Application (heading number 4), copy Login URL, Azure AD Identifier, and Logout URL to corresponding fields in the SSO Config under Service Provider:
Complete SSO Config Settings
Set Default Mapping Configuration
The Default Mapping Configuration determines the basic set of permissions and directories for all users authenticating through this configuration.
For example, the configuration below assigns all users to the group Cerberus, LLC Users. Successfully authenticated SSO users will be granted the permissions and directories defined in the group:
Configure this area appropriately for your users.
Enable SSO Authentication
This opens up the SSO configuration to users. Cerberus will begin processing authentication requests for this configuration once the changes are saved.
Finally, the Save button commits the settings to Cerberus FTP Server
Add Users and Groups to the Enterprise App
Before users may successfully SSO to Cerberus FTP Server, they must be granted access, either directly or through group membership. To do this, add users to the Enterprise App:
- In the Enterprise App, click the Users and groups item from the left navigation bar, then click the Add user/group button:
- Click the None Selected link in the subsequent Add Assignment dialog, then select the users and groups who should be granted access to Cerberus FTP Server. Click the Select button:
- Then click the Assign button to complete the operation
Test Single Sign On
Open a browser to the external Cerberus FTP website. As long as one SSO Configuration is enabled, a Begin Single Sign On button will appear on the login page:
Click the button listing the name of the SSO Config you wish to log in with.
If the user is already authenticated by Azure AD in this browser session and they are allowed to access Cerberus FTP Server, the user goes directly to the Web Client console:
Otherwise, the user is redirected to Azure AD for authentication:
And after completing authentication, the user arrives at Cerberus FTP Server’s Web Client:
If you wish for all users to use the same configuration, you can stop here. However, if you wish to see the users you have configured for SSO and to allow user-to-group and group-to-group mappings, you must complete SCIM Provisioning next.