Syncplicity Support

Search our knowledgebase to get the help you need, today

Follow

Configuring single sign-on (SSO)

Active Directory and LDAP single sign-on (SSO) with Syncplicity allows company administrators to leverage their existing corporate directories and authentication systems to authorize employee access to Syncplicity. 

IMPORTANT: The Syncplicity application supports only service provider initiated (SP initiated) SAML based SSO. It does not support identity provider initiated (IDP initiated) SAML based SSO.

The Syncplicity support for AD/LDAP SSO is built on top of an industry-standard SAML 2.0 protocol. This widely supported protocol enables federated authentication between SaaS applications, like Syncplicity, and on-premise directory systems, such as Active Directory and LDAP. The key to SAML-based federated authentication is the intermediary server, often referred to as the identity provider (IdP). The IDP speaks the SAML 2.0 protocol and services actual authentication requests. It is usually hosted on-premise with direct access to the AD/LDAP directory for credential validation. 


The following steps provide the basic end-to-end process:

  1. An unauthenticated user visits My Syncplicity or runs a Syncplicity client.
  2. Syncplicity redirects the user to the identity provider (SAML server).
  3. The IdP prompts the user for credentials.
  4. The IdP redirects the user back to Syncplicity and validates the user.
  5. Syncplicity receives the assertion and logs the user in.

NOTE:  If the IdP supports Windows Integrated Authentication (such as Active Directory Federation Services 2.0), and the user attempts to log in from an AD/LDAP-joined computer, the entire process is hidden from the user. In other cases, the IdP may prompt the user for their corporate credentials.

Prerequisites

The following prerequisites are required to enable AD/LDAP- based SSO for an account:

  • A Syncplicity Business Edition or Enterprise Edition account 
  • On-premise Active Directory or LDAP directory service
  • SAML 2.0-compatible Identity Provider service
  • Custom branded domain for My Syncplicity (web interface)
  • Sign-in page URL on the IdP
  • Public certificate of the IdP

Procedure

QUICK REFERENCE:  Admin >  Settings >  Custom domain and single sign-on

To open the Syncplicity settings to configure your domain and SSO, perform the following steps: 

  1. Log in to Syncplicity with an admin account.
  2. Select Admin >   Settings.
  3. SelectCustom domain and single sign-on from the Account Configuration list. The Configure Authentication Settings screen is displayed.

To configure your Syncplicity application for SSO, perform the following steps. Also, refer to the following table for details on each of the parameters:

  1. Ensure your user identities are provisioned in an identity provider solution that supports SAML 2.0.
  2. Ensure that you have used the Syncplicity administration console to create all of your Syncplicity users.
  3. Enter a unique name for your custom domain. This will be the login of your choice that your users will use to log in to Syncplicity. For example, if your company name is  Acme, Inc,  enter  acme as the domain name. NOTE:  Do not use hyphens or special characters.
  4. On the Custom domain and single sign-on page under settings in the Syncplicity administration console, select the Enabled radio button under Single Sign-on Status.
  5. Enter the entity identification  provided by your SSO identity provider into the Entity Id field.
  6. Enter the URL for the Syncplicity application sign-in page provided by your SSO identity provider in the Sign-in page URL  field.
  7. (Optional step) Enter the URL where users are relocated with they log out of the Syncplicity application. 
    IMPORTANT:  This should not be your Syncplicity custom domain URL.
  8. Select the Choose File button next to the Identity Provider Certificate field and select the certificate file provided by your SSO IdP
  9. (Optional step) Type the IP address network masks for SSO in the Single Sign-On Network Mask field.
  10. (Optional step) Select the Enable Silent Onboarding checkbox to auto-activate Syncplicity users when they first authenticate to the SSO IdP This also suppresses the sending of a Syncplicity Welcome/Activation email to your corporate users.
  11. Select Save changes.

Once you have created your custom domain and confirmed the use of Service Provider initiated (SP initiated) SAML based SSO, you can collect your own SSO metadata  using this URL:  https://your_custom_domain.syncplicity.com/Auth/ServiceProviderMetadata.aspx  and replace it with  the one you configured above.  For example,  https://acme.syncplicity.com/Auth/ServiceProviderMetadata.aspx.

The following table describes the configurable parameters:

Parameters to be configured

Description

Custom Domain 
(Required)

The Custom Domain field requires administrators to specify a unique name for their URL.  This URL will be used by your users to log in to Syncplicity; therefore, it should include your company name. In addition to branding benefits, this URL allows the Syncplicity application to immediately determine the company account the user is attempting to log in to and redirects the user to the IdP configured for this account. 

A user can also navigate to your company's custom domain by entering their corporate email address when from the My Syncplicity URL (https://my.syncplicity.com  or  https://eu.syncplicity.com  for companies in the EU PrivacyRegion). The email address is then used to look up your company's unique custom domain URL.

Single Sign-On Status (Required)

The Single Sign-On Status field allows administrators to quickly enable or disable AD/LDAP SSO on their account. It is especially useful when SSO is being configured. An administrator can fill out and verify all the required fields before officially enabling SSO for their account. This can also be a quick way to disable SSO without losing all the settings that were already configured.

Entity Id

 

The Entity Id field is optional and further identifies the identity provider used for authentication. Some SAML 2.0-providers require it and, when entered, the Syncplicity application uses it when creating and validating SAML requests and responses.

Example:  https://idp.company.com/

Sign-In Page URL (Required)

The Sign-In Page URL field represents the address where the Identity Provider users are redirected for authentication purposes. This URL can be obtained from the Identity Provider.

Example:  https://idp.company.com/idp/ls/

Logout page URL

The Logout Page URL field represents the address where users are redirected after they log out of the Syncplicity account. The My Syncplicity URL at https://my.syncplicity.com (or https://eu.syncplicity.com for companies in the EU PrivacyRegion) can be used freely if another custom or specific URL is unavailable or unnecessary.

Identity Provider Certificate 
(Required)

 

The Identity Provider Certificate field is used to upload the public key of the signing certificate used by the Identity Provider. SAML requires that Identity Providers cryptographically sign their SAML assertions (containing confidential user identity information). The Syncplicity application validates the signatures to confirm that the assertion came from a trusted source; that is, the configured Identity Provider. The public key provided in this field is used to perform the validation.

Select Choose File  to pick a Base-64 encoded X.509 certificate (must have a .PEM or .DER file extension) on your computer. Once uploaded, the Syncplicity application displays information about the certificate underneath the form field.

Single Sign-On Network Mask

 

The Single Sign-On Network Mask contains an IP address, set of IP addresses, or an IP address range. Users must be connected from one of those addresses in order to be redirected to the Identity Provider. This security feature limits access to the Identity Provider and thus access to the Syncplicity account, which may be desirable in certain high-security environments. On the other hand, it has the side effect of disallowing users from accessing their data wherever they may be - a potentially undesirable limitation of the service.

The field accepts comma separated values in CIDR notation. More information about the CIDR notation is available at: http://en.wikipedia.org/wiki/Subnetwork.

Example: 192.168.0.0/24, 10.1.0.0/16

When a users accesses their Syncplicity account using a desktop or mobile client with Log in using corporate account selected, or when your users go to your company's Syncplicity custom domain URL, they are redirected to the SSO identity provider login page to authenticate using their corporate credentials before being provided access to the Syncplicity service.

Enable silent onboarding

During the SSO Configuration, you can opt to enable silent onboarding. When silent onboarding is enabled, end-users do not receive any welcome or activation email. If you wish to send communications to all users with information about their Syncplicity account, this communication must be handled outside of the Syncplicity application. In addition, the user accounts are automatically activated upon creation and prevent an additional step for users to take before they can begin using the Syncplicity account.

Sign in using SSO (My Syncplicity)

Once SSO is configured, there are two option for users to sign in to My Syncplicity with AD/LDAP credentials.

  • OPTION 1: (preferred and recommended)  Users go to the custom domain URL their administrator configured for their account. For example, when an unauthenticated user visits http://acme.syncplicity.com , the Syncplicity application automatically redirects them for authentication. Furthermore, if the Syncplicity application redirects the user to an SAML server that supports Windows Integrated Authentication and the user is on an AD/LDAP-joined computer, the authentication process happens automatically in the background and My Syncplicity is the first page displayed to the user.
  • OPTION 2:  Users can sign in with their email account from the default My Syncplicity login page at https://my.syncplicity.com (or https://eu.syncplicity.com for companies in the EU PrivacyRegion).

 

NOTES:

  • Syncplicity clients: All Syncplicity clients provide SSO login for users, including the desktop clients. Refer to the Getting Started for information on Syncplicity client applications.
  • MAC desktop users: Each time Mac desktop users reboot their systems, they are prompted by Keychain Access to provide the Active Directory password for Syncplicity. In addition, when Mac users change their Active Directory password, they must provide the older password the first time they are prompted by Keychain Access.
Powered by Zendesk