Share Azure Blob Files with ActiveDirectory Users using SSO
Azure Blob file sharing with ActiveDirectory users is simplified with NirvaShare. ActiveDirectory is a directory service used by most enterprise organizations for managing users in a centralized manner that govern access across resources. NirvaShare can be easily integrated with ActiveDirectory to enable file sharing of Azure Blob storage with its users. For better file collaboration, AD groups can be used along with fine access control.
As prerequisites you will need to have:
- Make sure NirvaShare is installed either on cloud or on premise. You can also directly install from Azure Marketplace
- Configure the Storage and User Application URL in NirvaShare Admin Console. For details check HERE
- You will require access to your Azure ActiveDirectory as administrator.
We need to create a enterprise application on Active Directory to integrate with NirvaShare:
- Sign in to Azure Portal https://portal.azure.com
- Open Active Directory service.
- From the left menu list, click on Enterprise applications.
To know more, you can also visit Microsoft site at HERE.
- On the top menu, click on New application
- On the top menu, click on Create your own application
- Provide a name as NirvaShare-userapp and click on Create
- Once the newly created application is selected, click on Single sign-on from the left menu tab.
- We need to enable SAML, hence click on SAML block on right hand side.
At this juncture, you will require SAML metadata information from NirvaShare, hence log in to NirvaShare Admin console and follow the below steps.
- Click on Login Profiles from the left menu,
- Create a new Login profile.
- Provide a name and choose Single Sign On (SAML 2) as the authentication type and clidk on CREATE AUTHENTICATION
- To get the SAML metadata, right-click on the newly created Login Profile and click on the Edit option.
- Click on the SAML Metadata URL this will open a new tab with metadata content.
- Copy the metadata XML content.
From the metadata content, make a note of ACS URL and the Metadata URL from the XML.
Now return to the Azure SSO page, the new application that we created and the SAML settings.
- Select the newly created application, and click on the Single sign-on tab menu from left.
- Edit the Basic SAML Configuration
- Paste the NirvaShare’s metadata URL to
- Paste the NirvaShare’s ACS URL to
- Save it.
- Edit the next section Attributes & Claims
- Click on Add a group claim from the top menu
- Select All groups radio button and Source attribute as Group ID
- Scroll down and expand Advanced options
- Enable checkbox for Customize the name of the group claim
- Provide name as member
- Save it.
Let us get the metadata for the enterprise application that we created.
- Scroll down to the section SAML Signing Certificate
- Download the Federation Metadata XML
- Copy the XML content of the downloaded file.
Now let us go back to NirvaShare Admin Console.
- From the NirvaShare Admin Console, edit the Login Profile that we created earlier.
- Paste the Federation Metadata XML content obtained from Active Directory in to the textarea of External IDP SAML metadata
- Save It
With this, the required configuration to enable Active Directory Single Sign-On with NirvaShare is done. To test this, proceed with next section to create Shares.
- To Create Share and provide access to users, please refer to documentation on Sharing a File/Folder
- For Authentication Type, select External Auth Provider and the Login Profile that we created based on above sections.
- Active Directory Group Ids can be used for restricting access to users belonging to those groups in the Shares. For this make you create groups in Active Directory, assigned with users.
- You can also set the default Login Profile to the one we created in Settings. For more information check Settings