Contents
Introduction....................................................................................................................................................................................................2
Requirements.................................................................................................................................................................................................2
Setup Steps.....................................................................................................................................................................................................3
- Get Token Signing Certificate....................................................................................................................................................3
- Createa Single Sign On Settings set in your ezeep Portal..............................................................................................5
- Enter SAML Settings......................................................................................................................................................................6
- Create Relying Party Trust............................................................................................................................................................8
- Configure Claim Rules.................................................................................................................................................................10
- Transform an incoming Claim (Email to NameID)............................................................................................................12
- Send LDAP Attributes as Claim (Important for group assignment)..........................................................................14
- Setup groups in the ezeep Portal...........................................................................................................................................16
UserSign-On..................................................................................................................................................................................................17
Introduction
SAML is today's standard when it comes to connecting the user management of a cloud service with a directory service. This manual describes the steps required to connect an ezeep account to a directory service like ADFS, Azure Active Directory, Pint Identity, miniOrange and others. While the configuration varies between them, the fundamental steps to connect are the same. The examples used here are based on Active Directory Federation Services.
Requirements
• ezeep administrator account
• administrator account for your directory service
Setup Steps
1. Get Token Signing Certificate
First, we need to get the token-signing certificate from your ADFS server. We will need this to validate that the incoming security tokens were indeed created by your ADFS server and not modified in transit. Microsoft states that the public/private key pairing is the most important validation mechanism.
To get your token-signing certificate, go to:
• ADFS Management on your ADFS server
• Under ADFS / Service / Certificates double click the value under Token-signing
• Under the tab “Details” chose Copy to File... and export the certificate as Base-64 encoded X.509 (CER)
• Store the file securely, you will need to upload it to our Admin portal in the next step
2. Create Single Sign On Settings set in your ezeep Portal
• Log in to your ezeep account as administrator
• Click on your account (your email address / display name in our menu on the left)
• Under Single Sign On you will find the settings that you have set up (there should be none yet)
• Click on “Add SSO” and chose SAML 2.0
• A new popup will open with SAML settings
3. Enter SAML Settings
Our SAML settings include all basic settings that you need to set up for SAML to work properly. Enter your specific information and remember to save the settings.
This table contains the details about the specific settings:
| Setting Name | Description | Example |
| Name (RENAME ME) | This is the name that we will store the SAML set for you to find. For your account this name needs to be unique. | "ThinPrint Cloud SAML Settings" |
| Organization Identifier | This is your Organization ID which is unique across our whole solution. Each SAML setting needs one Organization ID. When your users enter this Organization ID at: https://accounts.ezeep.com/auth/signin/saml/ they will be following the SAML rule set that you set here and forwarded to the according Identity Provi der Login URL. | ThinPrintCloud |
| Entity ID | The entity ID of your Identity Provider. | „http://adfsdc.cortsol.net/adfs/ services/trust“ |
| Identity Provider Login URL | This is the login URL of your identity provider which in this case is your ADFS. When users enter your Organization ID above they will be redirected to this URL. | "https://adfsdc.cortsol.net/adfs/ls" |
| Login Binding type | Pick a binding type for your login requests. This setting states how SAML request and response messages are mapped. We recommend to choose the HTTP redirect method. • HTTP Post • HTTP redirect | Post „urn:cortsol:names:tc:SAML:2.0:bin dings:HTTP-POST“ Redirect „urn:cortsol:names:tc:SAML:2.0:bin dings:HTTP-Redirect“ |
| Identity Provider Logout URL | This is the URL that we redirect the user to when the user actively wants to log out of a session in our portal. | "https://adfsdc.cortsol.net/adfs/ ls/?wa=wsignout1.0" |
| Logout Binding type | Pick a binding type for your logout requests. This setting states how SAML request and response messages are mapped. We recommend to choose the HTTP redirect method. • HTTP Post • HTTP redirect | Post „urn:cortsol:names:tc:SAML:2.0:bin dings:HTTP-POST“ Redirect „urn:cortsol:names:tc:SAML:2.0:bin dings:HTTP-Redirect“ |
| Identity Provider Certificate (Base64 encoded) | This is the token-signing certificate that we exported to file in the first step „Get Token-Signing Certifica te“. You can upload it here for us to store securely. | „-----BEGIN CERTIFICATE----- a++++R0XNd+bDaBH2Jqpdln0+//asdsa dadasd= -----END CERTIFICATE-----“ |
4. Create Relying Party Trust
To set up ezeep as an application that can be trusted by your ADFS, you need to create a Relying Party Trust on your ADFS. We have a preconfigured xml file for you that contains all necessary information to automatically configure your ADFS. You can find it after saving your first SAML Settings on the Single Sign On Settings screen. You can either save the link to the XML settings (we will need it on the ADFS server later) or store the whole file in case that your ADFS does not have an internet connection.
On the ADFS server
• Open your ADFS Management and go to Trust Relationships / Relying Party Trusts
• Add Relying Party Trust
• In the Wizard, you can import data by entering the link that you saved from our portal or point to the local xml file that you transferred to the server
• You can check the settings by continuing the Wizard
5. Configure Claim Rules
When a user knocks on our portal login door with a SAML token, we consider the token and evaluate certain attributes from it and use them accordingly. These attributes need to identify the user and the ezeep groups the user should be a member of. This way we can directly make printers accessible to users based on the groups and policies that exist in your ezeep portal.
Claim Rules are used to specify these attributes in the SAML tokens. Claim Rules map an attribute from your Active Directory user object to a key the ezeep service understands. For instance, you can choose which attribute you want to use to map your users to ezeep groups so ezeep can perform the assignment automatically when the user logs in.
Ezeep is looking for the following attributes:
| Name | Outgoing Claim Type | Required | Description | Example |
| Name ID | NameID | Yes | Needs to be in e-mail format. We use the NameID to identify a user. | john@cortsol.net |
| groups | http://schemas.microsoft. com/ws/ 2008/06/identity/ claims/groups | Required for users to print | The strings in groups will be matched with the name strings of groups that the admin created in our portal | cortsol.net\Domain Users |
| First name | first_name | No, optional | We display the first names in your users view for you to search for and filter users. | John |
| Last name | last_name | No, optional | We display the last names in your users view for you to search for and filter users. | McClane |
At the end of the Relying Party Trust Wizard you can directly open the Edit Claim Rules dialog. You will need it to configure your user settings just the way you want them. You can also open the dialog with a right click on the newly created Relying Party Trust for ezeep and click on Edit Claims:
5.1 Transform an incoming Claim (Email to NameID)
The first rule set always must be the identifier as we require this attribute to identify a user. We require to have email addresses as the identifier that must be set. For this you can use the Claim rule template “Transform an Incoming Claim”
In the template set the Incoming Claim as the E-Mail Address and the outgoing claim type as Name ID with E-Mail as the format. This will take the e-mail address attribute from your user and map it to Name ID so that we know that this is the attribute where we find the users E-Mail address:
5.2 Send LDAP Attributes as Claim (Important for group assignment)
As a next step add another Claim rule and chose the “Send LDAP Attributes as Claims” template:
This opens a table where you can pick your intended AD attribute on the left and specify the outgoing claim on the right.
Your users always print per group rule sets that you can set in our ezeep portal. For us to assign them to the correct groups, you need to choose the LDAP attribute that you use for organizing your groups in your AD and map them to the outgoing claim http://schemas.microsoft.com/ws/2008/06/identity/claims/groups :
6. Set up groups in the ezeep Portal
In the ezeep portal the users are organized in groups. Groups have policies applied to them. Policies define access to printers and printer features. For the groups and policy system to work properly, the LDAP group attribute has to contain group information in the exact same format, the claim rules configured in the previous step communicates.
Here are a few examples:
| AD Attribute Name | Example |
| Token-Groups - Qualified by Domain Name | • cortsol\Domain Users |
| Token-Groups as SIDs | • S-1-5-21-1206454754-1378802883-1802596162-513 |
| Token-Groups - Qualified by Long Domain Name | • cortsol.net\Domain Users |
| Token-Groups - Unqualified Names | • Domain Users |
| Is-Member-Of-DL | • CN=Guests,CN=Builtin,DC=cortsol,DC=net • CN=Users,CN=Builtin,DC=cortsol,DC=net |
It is essential that you create the Groups in the ezeep portal with the exact same string as it is going out from your AD. Our workflow is to consider the SAML token, check the attribute “groups” and try to assign the users to the ezeep groups with the exactly same matching strings as names. There can be multiple groups in the attribute, we will try to match them all with the ezeep groups. If we do not find this group set up by you in our portal, we will just ignore it.
This check is performed every time a user logs in with a SAML token. We make sure that we clean the former groups assigned to a user before assigning the groups that we find in the new SAML token so that changes to groups are applied every time a user logs in with a new token. This makes sure that old groups, that the user were assigned to, get unassigned when we don’t find them in the SAML token anymore.
User Sign-On
After ezeep and the directory service are linked via SAML, users can simply go to portal.ezeep.com and click on “Sign in with Organization ID” or go directly to https://accounts.ezeep.com/auth/signin/saml/
They need to enter the Organization ID that you set as Organization Identifier in the ezeep portal.
Once they enter the ID, they will be redirected to the link you provided as Identity Provider Login URL.
After successful authentication on your Identity Provider, they will be redirected to the portal and can print per the groups that you set up.