Configuring SAML Authentication with Microsoft Entra ID

Directory Server supports SAML 2.0 tokens. Add a SAML identity provider on the Directory Server administration site. This process lets you import SAML metadata and configure claim mappings for single sign-on support.

The instructions in this document focus on configuring Directory Server with Microsoft's implementation of SAML 2.0 in Microsoft Entra ID.

Configuration Steps

Configuring Entra ID to authenticate to Directory Server with SAML is a multi-stage process.

Stage 1: Configure a Directory Server STS site.
Stage 2: Create your Entra ID enterprise application.
Stage 3: Configure Directory Server with the metadata from Entra ID.
Stage 4: Provide Entra ID with metadata from Directory Server.
Stage 5: Register users in Entra ID and Directory Server.

When configuration is complete, you can test your single sign-on configuration.

Stage 1: Configure an STS Site for SAML Authentication

Configure at least one Directory Server STS site for SAML identity providers to authenticate to.

On the Directory Server administration site, navigate to Settings.
Select the STS Sites tab.
Select + STS Site.
Specify a Display name for the site.
Specify the SAML endpoint for the site. The field provides a sample format for your reference.Note: This value must match what you configure in the Reply URL option in the Entra ID enterprise application’s basic SAML configuration page.
Optionally, click Add host name to specify the host name of the STS machine. If your STS instance host has a different public DNS name, you must specify the internal host name. Your host name should be in the format host.domain.com.

Stage 2: Creating Your Entra ID Enterprise Application

The first stage of configuring Entra ID for single sign-on with Directory Server using SAML involves creating an enterprise application in the Microsoft Entra admin center and obtaining a metadata file for that application.

Creating an Entra Enterprise Application

Sign in to the Microsoft Entra admin center.
View the list of Enterprise applications.
Select New application at the top of the main pane.
Choose to create your own application and select the Custom Non-gallery option.
View the Single sign-on configuration page.
Select SAML as your authentication method.
Edit Basic SAML Configuration:
- Specify temporary placeholder values for Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL).
Edit Attributes & Claims.

Creating Claim Mappings

Directory Server supports several pre-defined claims. View your Entra ID single sign-on configuration to find the corresponding claim or add custom claims.

Viewing and Adding Claims in Azure AD

In the Entra ID admin center, navigate to your SAML single sign-on application and open its Single sign-on configuration page.
You can view existing attributes and claims in the User Attributes & Claims section of the configuration page.
To edit or add claims, click the Edit button. Take note of the data in the Claim name column. These are the values you would enter in the Directory Server administration site for claim mappings.
Click Add new claim to specify a new claim.
In the Manage user claims dialog box, enter an attribute name under Name.
Under Source attribute, select or type a value for the attribute.
Click Save. You can now map that attribute to user attributes in Directory Server.
To edit an existing claim, click on that claim. The Manage user claims dialog box will appear.
Edit the fields in the Manage user claims dialog box and click Save when you’re done.

Adding Claim Mappings in Directory Server

On the Directory Server administration site, navigate to Settings, then Identity Providers.
Select the identity provider that corresponds to your Azure AD identity provider.
Open the Claims tab in the main pane.
Enter the values of the Azure AD user attributes you want to map to Directory Server user attributes. These should be taken from the Claim name column in the Azure AD interface described earlier.
Click Save.

Stage 3: Adding a SAML Identity Provider in Directory Server

Carry out these instructions after first creating your Azure AD application.

If you have multiple licensing sites attached to your Directory Server instance, you must specify a default licensing site for single sign-on purposes. Manually edit the LFDS.exe.config file in the Directory Server installation folder to add a default licensing site. In the <appSettings> block, insert the following line:

After saving your change, restart the Directory Server service.

Open the Laserfiche Directory Server administration site and select your licensing site.
View the Settings tab.
Click the Identity Providers secondary tab.
Use the +Identity Provider button to open the New Identity Provider page.
Under Name, specify a display name for the identity provider.
Under Identity Provider Type, select SAML identity provider.
Optional: Under Host, type the fully-qualified domain name of your SAML identity provider host name. The format is https://DirectoryName.onmicrosoft.com.
Select Enable SAML authentication.
Import the metadata file that you had downloaded from Entra ID. Once you’ve selected the file and clicked Import Metadata, Directory Server will attempt to automatically extract the issuer, endpoint, endpoint binding type, and certificate values from the metadata file.
Note: You can also manually type in values for Issuer, Endpoint, and Endpoint binding type, and manually select a certificate. The values and certificate files can be found in the Entra ID admin center.
For the Name ID format, the default value is:
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
For the Authentication context, the default value is:
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Optional: Depending on whether the selected certificate is located in the trusted root store, you can choose to Ignore certificate chain validation. If you do not ignore chain validation, the issuer chain list must contain at least one issuer in the machine's root trusted store.
Optional: If you turn on the Sign authentication request option, you must provide the appropriate certificate information. The selected certificate must contain the private key for encryption.
Optional: Enter the Name, Display name, and URL for your service provider organization.
Click Save. Follow the next set of instructions to configure an STS site for SAML authentication.

Stage 4: Providing Directory Server Metadata to Azure AD

After you’ve created an Azure AD application and used its metadata to create a SAML identity provider in Directory Server, you can return to the Azure AD application configuration page to enter more configuration details.

Extracting metadata from Directory Server

By extracting Directory Server’s metadata, you can quickly configure Azure AD by uploading an XML file.

On the Directory Server administration site, navigate to Settings.
Select Identity Providers.
In the left pane, select your newly created SAML identity provider.
Click the Generate Service Provider Metadata button at the top of the page.
Select an expiration date for the metadata and click OK.
Follow the next steps to complete your Azure AD application configuration.

Uploading the metadata to Azure AD

Back in the Azure AD single sign-on configuration page, locate the Basic SAML Configuration section. Click the Edit icon.
Click Upload metadata file.
Browse for the XML file you had downloaded from Directory Server. Select it and click Upload. Azure will now fill the Identifier and Reply URL fields based on the file’s contents.
Click Save at the top of the single sign-on configuration page.

Stage 5: Register Users in Entra ID and Directory Server

Before you verify a successful configuration, you’ll have to add at least one user to your Azure AD application. You’ll also have to register that user account in Directory Server and ensure it has the appropriate licenses for the Laserfiche applications it needs to access.

Adding a user to the Azure application

In the left pane of the application page, select Users and groups.
Select Add user.
Browse for users in the ensuing dialog. Select the desired users, then click Select at the bottom of the page.
Click Assign. If the assignment is successful, you’ll see the users you added in the Users and groups page.
Follow the next steps for adding an Entra ID user to Directory Server.

Adding an Entra ID user to Directory Server

This is the final step you’ll need before you can test your application.

Note: You can also import users in bulk in a CSV file.

On the Directory Server administration site, navigate to Accounts.
Click + Users and select SAML User.
Optional: Select the user’s Organization and Group.
Under Identity Provider, select the SAML identity provider.
Under User name, enter the user name that you want the user to appear under in Directory Server. This does not have to match their user name in Azure AD.
Under SAML Name ID, enter the user’s Azure username. The format would be name@directory.onmicrosoft.com.
Optional: Fill in the other fields under User Information. If you want to test your SAML authentication setup, ensure that you select a valid license for the user.
Click Finish at the bottom of the page.

Testing your application

After you’ve added users to both your Azure AD application and Directory Server, you can test SAML authentication from Azure AD to Directory Server.

In the Azure portal, navigate to your application’s page. Select Single sign-on in the application’s left pane.
Under step 5 in the main pane, click Test. If your configuration was correct, you’ll see a success message.
Note: It is normal to receive both a successful authentication message, and a message that no landing page has been configured. You’ll still be able to sign in to Laserfiche applications.
You can further test the authentication by using one of the Azure AD users registered to the application to sign in to a Laserfiche application. Before you do this, ensure that the Laserfiche application is properly configured to use Directory Server authentication, and that the Azure AD user is also registered and licensed under Directory Server.

On the Laserfiche application’s sign-in page, select (SAML) IdentityProviderName. If your configuration was correct, you’ll be redirected to an Azure page to sign in.
Sign in with the appropriate Azure AD credentials and check that you authenticate successfully to the Laserfiche application.

If you are unable to sign in successfully with SAML, see Microsoft’s advice on debugging SAML-based single sign-on. In addition, check that your user account is licensed in Directory Server for the specific Laserfiche application you’re trying to sign in to.

General SAML Compatibility Information

Supported SAML Bindings

HTTP Redirect (GET) Binding
HTTP POST Binding

Directory Server Metadata Import

The import process does not support polling or signature verification.

Directory Server Metadata Export

The metadata export process does not automatically detect the SAML protocol endpoints.
The metadata exchange endpoint is not supported.
The process does not support signatures.

Unsupported and Partially Supported Attributes

Subject: Directory Server assumes that the target identity provider prompts for the subject.
NameIDPolicy: Partial support. Only allow specification of the format. Default:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

RequestedAuthnContext: Partial support. Only allow a single authentication class with comparison "exact". Default:

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Conditions
Scoping
ForceAuthn
IsPassive
AssertionConsumerServiceIndex
AssertionConsumerServiceURL: The identity provider should use the AssertionConsumerService element in the metadata file.
ProtocolBinding
AttributeConsumingServiceIndex
ProviderName