SAML Single Sign On Manual Configuration

Support > Server Guides

The instructions in this article are only applicable to MyWorkDrive installations using Active Directory for user identity. If MyWorkDrive is configured with Entra ID for the user directory, it uses a native Microsoft login, and SAML is not required to enable SSO.

SAML Manual Configuration Overview

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, specifically between an identity provider and a service provider. As its name implies, SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions).

MyWorkDrive Server supports SAML-based web file manager Single Sign-On (SSO) in addition to ADFS (which is configured separately). For SAML, MyWorkDrive acts as a Service Provider (SP) while the partner acts as the identity provider (IdP), for example: Shibboleth, OneLogin, Centrify, Entra ID, OKTA, etc.

Preconfigured SAML Setup Guides

Several SAML providers are preconfigured in MyWorkDrive and use a simplified setup process. Please visit the following articles for the setup of Entra ID, Okta, and OneLogin. It is neither necessary nor recommended to manually configure MyWorkDrive for these providers.

Entra ID SAML

OKTA SAML

OneLogin SAML

Manual SAML Prerequisites

  • Ensure users have a UPN suffix applied for their user account on the domain, to match the SAML provider login name. In most scenarios, the presented username from the identity provider will be the username and matched to UPN. If those values do not match, you may be able to manipulate the claim rules on the identity provider to send a value which matches the UPN.
    A discussion of re-writing claim rules can be found, here
  • Ensure the MyWorkDrive server is trusted for delegation as per our Delegation Article.
  • Make your server available via Cloud Web Connector or set up your own public SSL certificate and hostname pointing to your MyWorkDrive server over port 443 (SSL), and ensure your server is publicly accessible. View Support Article.

Login Flow

The following explains the user login flow to MyWorkDrive from an identity provider (IdP).

  • It is assumed all users are logging into the Identity Provider using their UPN Suffix (eg @yourdomain.com) and it matches their Active Directory username UPN.
  • Your MyWorkDrive server is using your own hostname and SSL Certificate (*.MyWorkDrive.net is not supported for SAML).
  • The user access MyWorkDrive via your configured MyWorkDrive URL, ie, https://YourMWDserver.yourdomain.com.
  • The MyWorkDrive server automatically redirects to the Identity Provider login URL as configured in the SAML configuration on MyWorkDrive.
  • If the user is not already logged into the ldP the MyWorkDrive server redirects the user to the SSL service to sign in.
  • Once confirmed, the IdP service generates a valid SAML response and redirects the user back to MyWorkdrive to the MYWorkDrive ACS Url configured in the identity provider (eg, https://YourMWDserver.yourdomain.com/SAML/AssertionConsumerService.aspx).
  • MyWorkDrive will verify the SAML response and confirm user access by matching the authorized username with Active Directory.
  • If the user authentication is successfully validated, they are automatically logged into MyWorkDrive.

SAML SSL MyWorkDrive Server Configuration

To successfully configure SAML on the MyWorkDrive server, the following manual steps are necessary.

1. IdP Service Configuration

If your IdP will import settings from metadata, you can use the MyWorkDrive metadata link from your server at https://YourMWDserver.yourdomain.com/SAML/ServiceProviderMetadata

Create a SAML configuration at the IdP referencing the MyWorkDrive server:

  1. Specify the assertion consumer service URL (e.g., https://YourMWDserver.yourdomain.com/SAML/AssertionConsumerService.aspx) as the single sign-on URL.
  2. Specify the Audience URI (SP Entity ID, Service Provider Name) - enter “MyWorkDrive” as the audience URI. If the Identity Provider requires you to specify a different name, or gives you the name to specify, you can ajdust the SP Name in the configuration on MyWorkDrive.
  3. Specify the single logout service URL (eg https://YourMWDServer.yourdomain.com/SAML/SLOService.aspx) as the logout URL.
  4. Specify the SP Issuer. This is the local service provider name (Entity ID) – Enter “MyWorkDrive”.
  5. Download the ldP certificate and place in C:\Wanpath\WanPath.Data\Settings\SAML\Certificates. Typically this is provided in x509 format as a .cer file. Some providers use different extensions; the only requirement is that it is a valid x509 certificate.

    sample x509 certificate
    If your SAML provider does not offer a certificate download, you may find the certificate information provided in a metadata file and can use that to create the cer file with a text editor. Be sure to include the header/footer and line breaks as demonstrated.
  6. If prompted by the identity provider, upload the mwd.pfx file from C:\Wanpath\WanPath.Data\Settings\SAML\certificates using the password as indicated in the saml.config.example file.
  7. If prompted for Post vs HTTP-Redirect or Assertion, MyWorkDrive uses HTTP-Redirect/Assertion; not Post for the ACS process.

2. MyWorkDrive Server Configuration

  1. Edit the saml.config file located at C:\Wanpath\WanPath.Data\Settings\SAML\saml.config. A saml.config.example is available to use as a reference with a number of common provider examples shown.
  2. There are three core sections of the file that must be present and correctly formatted.
    <ServiceProvider> This section defines the information MyWorkDrive needs to receive SAML assertions the identity provider, including the entity ID (Service Provider Name) configured for MyWorkDrive, the local certificate details (created on installation) and the assertion consumer service endpoint (also created on installation). The defaults created in the sample file do not need to be changed.
    <PartnerServiceProviders> This section is redundant with the ServiceProvider section and will generally be the same, except in cases using multiple saml providers where a different Entity ID (service provider name) is required for different identity providers.
    <PartnerIdentityProviders> This section contains the information regarding the Identity provider.
  3. In the Partner identity provider section: Set the Name to the identity provider issuer. This value is also known as the metadata entityID and may often be labeled simply "EntityID" in the Identity Provider Metadata. It is very commonly a URL.
  4. In the Identity provider section: Set the SingleSignOnServiceUrl to the identity provider single sign-on URL.
  5. Update the identity provider PartnerCertificateFile section with the complete path and name of the identity provider's certificate file.
  6. Different indentity providers may require other settings such as SignAuthnRequest, WantAssertionsSigned. Set those values as required for your identity provider.
  7. Download or create the x509 certificate file for your identity provider. Place the identity provider certificate file on the file system and reference the path in the PartnerCertificateFile line. The typical storage location is C:\Wanpath\WanPath.Data\Settings\SAML\Certificates\ and the typical file type is .cer.

The partner identity provider configuration section should be similar to the following saml.conf

```

```

The Service provider section configuration should be similar to the following saml.conf <ServiceProvider Name="MyWorkDrive" Description="MWD Service Provider" AssertionConsumerServiceUrl="~/SAML/AssertionConsumerService.aspx" LocalCertificateFile="C:\Wanpath\WanPath.Data\Settings\SAML\Certificates\yourdomain.pfx" LocalCertificatePassword="password"/>

Finally, before you test, make sure you have added/assigned some users to your new MyWorkDrive entry in your IdP to authorize them to access MyWorkDrive. Most indentity providers require some method to authorize users to access an application - manual assignment, assign by group, etc.

To test SAML without making it required after enabling it, you may access the SSO Login url in the webclient at: http://yourserver.yourdomain.com/account/login-saml.aspx

This will invoke the SAML process and pass you to the identity provider to authenticate and complete the SAML flow.

Once you are confident the SAML is correctly configured, and delegation has been enabled for shares, check the box "require SSO" in settings in MyWorkDrive to enable the SAML process for all users and methods (Web, Map drive and Mobile).

We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@myworkdrive.com.