Configure Advanced SSO options in Laserfiche Cloud
- Click Show advanced options to see advanced options.
- These are the default advanced settings.
- Enable IDP-initiated login flow: Specify Yes for this feature to allow a user to sign in to Laserfiche from the identity provider's portal. Laserfiche Cloud uses the same Assertion Consumer Service URL for both SP and IDP-initiated login flows. The assertion consumer service URL is shown on the Service Provider information page.
- Minimum signing algorithm strength: Specify the minimum signing algorithm strength for the SAML response sent to Laserfiche from your identity provider. It is recommended to use RSA-SHA256. SAML response signed by a weaker algorithm will be rejected.
- Sign outbound requests: Specify whether the AuthnRequest sent by Laserfiche to your identity provider should or should not be signed.
- Force Authentication: Specify whether Laserfiche SAMLRequest will require new authentication if the user has an active session in the identity provider. Some identity providers may not allow this as an option.
- Validate IDP certificate: Specify whether Laserfiche should validate identity provider's signing certificate as publicly trusted. This may not be necessary in most cases since SAML deployments typically exchange certificates directly instead of relying on the public certificate infrastructure.
- User identifying attribute: By default, Laserfiche uses NameID attribute from SAML response to identify user. You can customize which attribute will be used to identify Laserfiche user.
- Click Register to finish.
The default setup for Active Directory Federation Services (AD FS) requires you to configure a customized attribute. To do this:
- Next to User identifying attribute, select Use customized attribute.
- Next to Customized user identifying attribute, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn to use the typical user principal name (upn) claim, or enter a different claim your organization uses.
- Click Save.