Posted on: 24 Apr, 2019 Posted by: Foldr News
An Identity Provider that’s simple to configure and great to use but also supports advanced features like multi-factor authentication? That’s Foldr.
Like most people you probably know about the amazing things that Foldr can do with your files. But did you also know that Foldr can act as a Single Sign-On (SSO) Identity Provider (IdP) allowing your users to sign-in once and access all of their on-premise and cloud-based web apps? In this article we’ll take a deep-dive into Foldr’s SSO features and show you how it can proivide your users with secure access to all of your online applications…
Single Sign-On (from now on referred to as SSO) allows unrelated services to share a common authentication system. SSO systems are usually made up of two components Service Providers and Identity Providers. Service Providers are the applications which require that users be authenticated to provide them with access. Identity Providers are responsible for authenticating users and then returning those users to the Service Providers along with some form of “assertion” that they are indeed who they claim to be.
Since it is neither secure nor feasible to ensure that user accounts and their credentials are synchronised across all applications these Service Providers instead rely upon the Identity Provider to validate the users credentials.
An Identity Provider must host or connect to some form of database containing user account information and credentials. (Examples of these would be LDAP servers such as Microsoft Active Directory. Foldr is able to authenticate Active Directory users as well as host its own user database – more on this later.) Together the IdP and user database can provide something known as Identity as a service (IDaaS).
Ensuring that a user really is who they claim to be is vital to maintain the security of an application – particularly if the application has handed the verification of its users off to a third-party IdP. Luckily there is a standard means for doing this known as Secure Assertion Markup Language (SAML). SAML defines a flow by which Service Providers and Identity Providers can exchange messages in a known format to both authenticate users and assure the source and integrity of said messages. To do so the messages sent between SPs and IdPs are signed using shared certificates which the two systems can use to ensure that nothing has been tampered with in transit. These messages can also be encrypted but since SPs and IdPs never transmit credentials – and rarely transmit sensitive information – between one another there is usually no need for this extra step.
There are two forms of SAML authentication flows – SP-initiated and IdP-initiated. With SP-initiated SSO the user begins at the Service Provider, is redirected to the IdP along with an authentication request and then, once successfully authenticated, is redirected back to the Service Provider with a signed assertion containing an identifying attribute (usually an email address or Active Directory UPN) and any other necessary user information. The Service Provider then validates the assertion using the shared certificates and if all is well, the user is considered authenticated.
IdP-initiated SSO starts at the Identity Provider – often from an app “dashboard” of some sort. In this scenario the IdP sends the user to the Service Provider along with an (unsolicited) assertion. Again the Service Provider performs validation on the assertion and acts appropriately.
Because SSO is used to connect unrelated systems, Service Providers need not maintain their own databases of users. Some are even able to automatically provision accounts based on the user information contained within a SAML assertion. However, other Service Providers such as Office 365 and Google G Suite require that an account already exist within their service before a user can successfully sign-in via SSO. These services will use the identifying attribute contained within the assertion to lookup the user within their own databases.
Whilst SSO is designed to make life easier for users many Identity Providers are complicated to configure and difficult to use. Foldr is different…
Most organisations connect Foldr to their Active Directory and use that as their user database. Foldr also allows you to create and manage your users entirely within the Foldr server. Or you can mix and match to create a hybrid system. When connected to Active Directory Foldr accesses it in real-time. There’s no syncing of users, no replication and no clunky CSV imports. Any changes in your directory are reflected instantly within Foldr. It’s this simplicity of setup and intuitive configuration that makes Foldr a such great IdP for you and your users.
Many Foldr admins are already familiar with Foldr’s web-based settings portal and with how easy it makes setup and administration and configuring Foldr’s IdP is no different. Service Providers can be added quickly and we include templates for many popular applications. Tapping in to Foldr’s existing granular permissions system, access to these applications can be restricted to specific users or groups within your organisation. Foldr users get a My Apps Dashboard which provides quick links to all of their connected services.
Since Foldr is responsible for the authentication you also get access to all of Foldr’s user-facing security benefits including Multi-Factor Authentication, password re-use checking and self-service password reset. Use an external application which doesn’t support Two-Factor Authentication? No problem! With Foldr as your IdP all of your services gain multi-factor authentication.
And of course, all access through Foldr is logged so you’ll have a complete audit trail of who accessed what service when, where and on what.
Finally, with Kerberos support Active Directory users on domain-bound workstations need never enter their password. Truly single sign-on!
Whether hosted on-premise or in the cloud Foldr offers your organisation a feature-rich, intuitive and secure SSO solution.
If you’re already using Foldr then head over to our knowledge base to learn more about setting up Foldr as an IdP.