Syncplicity Support

Follow

Configuring single sign-on (SSO)

Active Directory and LDAP single sign-on (SSO) with Syncplicity allows companies of any size to leverage their existing corporate directories and authentication systems to authorize employee access to Syncplicity. Business Edition or an Enterprise Edition account is required in order to turn on Single-Sign-On with Syncplicity.

NOTE: The Syncplicity application supports only Service Provider initiated (SP initiated) SAML based SSO. It does not support Identity Provider initiated (IDP initiated) SAML based SSO.

The Syncplicity support for AD/LDAP SSO is built on top of an industry-standard SAML 2.0 protocol. This widely supported protocol enables federated authentication between SaaS applications, like Syncplicity, and on-premise directory systems, such as Active Directory and LDAP. The key to SAML-based federated authentication is the intermediary server – often referred to as the Identity Provider (IdP).  The IDP speaks the SAML 2.0 protocol and services actual authentication requests. It is usually hosted on- premise with direct access to the AD/LDAP directory for credential validation. 
The end-to-end process can be roughly described as follows:

  • An unauthenticated user visits My Syncplicity or runs a Syncplicity client
  • Syncplicity redirects the user to the Identity Provider (i.e. SAML server)
  • The IdP prompts the user for credentials if it hasn’t received them already
  • The IdP validates the credentials with the AD/LDAP directory
  • The IdP redirects the user back to Syncplicity and validates the user
  • Syncplicity receives the assertion and logs the user in.

If the Identity Provider supports Windows Integrated Authentication (like Active Directory Federation Services 2.0) and the user was attempting to log in from an AD/LDAP-joined computer, the entire process takes places behind the scenes, unbeknownst to the user. In other cases, the IdP may prompt the user for their corporate credentials.

In order to enable Single-Sign-On for your company account, you need to have a Business Edition or an Enterprise Edition account. The prerequisites to enable AD/LDAP- based SSO for the account are as follows:

  • On-premise Active Directory or LDAP directory service.
  • SAML 2.0-compatible Identity Provider service.
  • Custom branded domain for My Syncplicity (web interface).
  • Sign-in page URL on the Identity Provider 
used.
  • Public certificate of the Identity Provider used.

Now you are ready to configure SSO with the Syncplicity application. The SSO configuration screen is accessible by logging into the Syncplicity application with an admin account in the admin console. Under admin, click the settings link.

Perform the following steps to configure the Syncplicity application for SSO:

  1. Ensure your user identities are provisioned in an identity provider solution that supports SAML 2.0.
  2. Ensure that you have used the Syncplicity administration console to create all the users who will use the Syncplicity service.
  3. Configure a custom domain; see information below on custom domain.
  4. On the Custom domain and single sign-on page under settings in the Syncplicity administration console, select the Enabled radio button under Single Sign-on Status.
  5. Type the Entity ID provided by your SSO identity provider into the Entity Id field.
  6. Type the URL for the Syncplicity application sign-in page provided by your SSO identity provider in the Sign-in page URL field.
  7. Optionally, enter the URL to which users will be taken when they log out of the Syncplicity web application. This should not be the Syncplicity custom domain URL.
  8. Click the Choose File button next to the Identity Provider Certificate field and select the certificate file provided by your SSO identity provider.
  9. Optionally, type the IP address network masks for SSO in the Single Sign-On Network Mask field.
  10. Optionally, check the Enable Silent Onboarding checkbox. Selecting this checkbox auto-activates Syncplicity users when they first authenticate to the SSO identity provider, and suppresses the sending of a Syncplicity Welcome/Activation email to your corporate users.
  11. Click SAVE CHANGES.

Sample Single-Sign-On configuration:

Parameters to be Configured

Description

Custom Domain (Required)

The Custom Domain field allows administrators to specify the unique URL that they and their users will use when visiting the My Syncplicity website. In addition to branding benefits, this URL allows the Syncplicity application to immediately determine the company account the user is attempting to log into and redirect the user to the Identity Provider configured for said account. If users forget to navigate their browsers to the company’s custom domain, log in is still possible; the Syncplicity application will simply require that the users type in their corporate email address first. The email address is then used to look up the company account.

Single Sign-On Status (Required)

The Single Sign-On Status field allows administrators to quickly enable or disable AD/LDAP SSO on their account. It is especially useful when SSO is being configured. An administrator can fill out and verify all the required fields before officially enabling SSO for their account. This can also be a quick way to disable SSO without losing all the settings that were already configured.

Entity Id

 

The Entity Id field is optional and further identifies the identity provider used for authentication. Some SAML 2.0-providers require it and, when entered, the Syncplicity application uses it when creating and validating SAML requests and responses.

Example: https://idp.company.com/

Sign-In Page URL (Required)

The Sign-In Page URL field represents the address where the Identity Provider users are redirected for authentication purposes. This URL can be obtained from the Identity Provider.

Example: https://idp.company.com/idp/ls/

Logout page URL

The Logout Page URL field represents the address where users are redirected after they log out of the Syncplicity account. The My Syncplicity URL at https://my.syncplicity.com (or https://eu.syncplicity.com for companies in the EU PrivacyRegion) can be used freely if another custom or specific URL is unavailable or unnecessary.

Identity Provider Certificate (Required)

 

The Identity Provider Certificate field is used to upload the public key of the signing certificate used by the Identity Provider. SAML requires that Identity Providers cryptographically sign their SAML assertions (containing confidential user identity information). The Syncplicity application validates the signatures to confirm that the assertion came from a trusted source; that is, the configured Identity Provider. The public key provided in this field is used to perform the validation.

Click the Choose File button to pick a Base-64 encoded X.509 certificate (usually with a .PEM or .CER file extension) on your computer. Once uploaded, the Syncplicity application displays information about the certificate underneath the form field.

Single Sign-On Network Mask

 

The Single Sign-On Network Mask contains an IP address, set of IP addresses, or an IP address range. Users must be connected from one of those addresses in order to be redirected to the Identity Provider. This security feature limits access to the Identity Provider and thus access to the Syncplicity account, which may be desirable in certain high-security environments. On the other hand, it has the side effect of disallowing users from accessing their data wherever they may be – a potentially undesirable limitation of the service.

The field accepts comma separated values in CIDR notation. More information about the CIDR notation is available at: http://en.wikipedia.org/wiki/Subnetwork.

Example: 192.168.0.0/24, 10.1.0.0/16

When your users access the Syncplicity account using desktop or mobile clients with Log in using corporate account selected, or when your users go to your company's Syncplicity custom domain URL, they are redirected to the SSO identity provider login page to authenticate using their corporate credentials before being provided access to the Syncplicity service.

Enable Silent On-boarding

During the SSO Configuration, you can opt to enable silent onboarding. When silent onboarding is enabled, end-users do not receive any welcome or activation email. If you wish to send communications to all users with information about their Syncplicity account, this communication must be handled outside of the Syncplicity application. In addition, the user accounts are automatically activated upon creation and prevent an additional step for users to take before they can begin using the Syncplicity account.

Sign In using SSO (My Syncplicity)

Once SSO is configured, users can login to the Syncplicity account using SSO. There are two ways to sign into My Syncplicity with AD/LDAP credentials.

The preferred and recommended way is for users to visit the custom domain their administrator configured on their account. For example, when unauthenticated users visit e.g. http://530howard.syncplicity.com, from the example above, the Syncplicity application automatically redirects them to https://secure.530howard.com/adfs/ls/ for authentication. Furthermore, if the Syncplicity application redirects the user to an SAML server that supports Windows Integrated Authentication and the user is on an AD/LDAP-joined computer, the authentication process happens automatically in the background and the first page the user sees is My Syncplicity.

Alternatively, users can continue to log in from the default My Syncplicity login page at https://my.syncplicity.com (or https://eu.syncplicity.com for companies in the EU PrivacyRegion).  

If a user clicks the Login with another account link then types in the corporate email address and clicks Log in, the Syncplicity application looks up the user’s company and its configured SAML server based on the email address the user typed in. It will then redirect the user to the correct SAML server and proceed as normal. 

Note that all of the Syncplicity clients provide SSO login for users, including the desktop clients. End-users can visit the Getting Started page to begin using the Syncplicity client applications.

NOTE: Each time Mac desktop users reboot their systems, they will be prompted by Keychain Access to provide the Active Directory password for the Syncplicity app. In addition, when Mac users change their Active Directory password, they will need to provide the older password the first time they are prompted by Keychain Access.

Powered by Zendesk