Contents

Introduction....................................................................................................................................................................................................2

Requirements.................................................................................................................................................................................................2

Setup Steps.....................................................................................................................................................................................................3

  1. Get Token Signing Certificate....................................................................................................................................................3
  2. Createa Single Sign On Settings set in your ezeep Portal..............................................................................................5
  3. Enter SAML Settings......................................................................................................................................................................6
  4. Create Relying Party Trust............................................................................................................................................................8
  5. Configure Claim Rules.................................................................................................................................................................10
  6. Transform an incoming Claim (Email to NameID)............................................................................................................12
  7. Send LDAP Attributes as Claim (Important for group assignment)..........................................................................14
  8. Setup groups in the ezeep Portal...........................................................................................................................................16

UserSign-On..................................................................................................................................................................................................17


Introduction


SAML is today's standard when it comes to connecting the user management of a cloud service with a directory service. This manual describes the steps required to connect an ezeep account to a directory service like ADFS, Azure Active Directory, Pint Identity, miniOrange and others. While the configuration varies between them, the fundamental steps to connect are the same. The examples used here are based on Active Directory Federation Services.


Requirements


• ezeep administrator account
• administrator account for your directory service 

 


Setup Steps


1. Get Token Signing Certificate


First, we need to get the token-signing certificate from your ADFS server. We will need this to validate that the incoming security tokens were indeed created by your ADFS server and not modified in transit. Microsoft states that the public/private key pairing is the most important validation mechanism.


To get your token-signing certificate, go to:


• ADFS Management on your ADFS server
• Under ADFS / Service / Certificates double click the value under Token-signing
• Under the tab “Details” chose Copy to File... and export the certificate as Base-64 encoded X.509 (CER)
• Store the file securely, you will need to upload it to our Admin portal in the next step
 


screenshot: create token-signing certificate in ADFS


screenshot: export certificate


2. Create Single Sign On Settings set in your ezeep Portal


• Log in to your ezeep account as administrator
• Click on your account (your email address / display name in our menu on the left)
• Under Single Sign On you will find the settings that you have set up (there should be none yet)
• Click on “Add SSO” and chose SAML 2.0
• A new popup will open with SAML settings

screenshot: access SSO setting in ezeep portal

 3. Enter SAML Settings


Our SAML settings include all basic settings that you need to set up for SAML to work properly. Enter your specific information and remember to save the settings.


This table contains the details about the specific settings:
 

Setting Name Description Example
Name (RENAME ME)This is the name that we will store the SAML set for
you to find. For your account this name needs to be
unique.
"ThinPrint Cloud SAML Settings"
Organization IdentifierThis is your Organization ID which is unique across
our whole solution. Each SAML setting needs one
Organization ID.
When your users enter this Organization ID at:
https://accounts.ezeep.com/auth/signin/saml/
they will be following the SAML rule set that you set
here and forwarded to the according Identity Provi
der Login URL.
ThinPrintCloud
Entity ID The entity ID of your Identity Provider. http://adfsdc.cortsol.net/adfs/
services/trust
Identity Provider Login URLThis is the login URL of your identity provider which
in this case is your ADFS. When users enter your
Organization ID above they will be redirected to this
URL.
"https://adfsdc.cortsol.net/adfs/ls"
Login Binding typePick a binding type for your login requests. This
setting states how SAML request and response
messages are mapped. We recommend to choose
the HTTP redirect method.
• HTTP Post
• HTTP redirect
Post
„urn:cortsol:names:tc:SAML:2.0:bin
dings:HTTP-POST“
Redirect
„urn:cortsol:names:tc:SAML:2.0:bin
dings:HTTP-Redirect“
Identity Provider Logout URLThis is the URL that we redirect the user to when
the user actively wants to log out of a session in our
portal.
"https://adfsdc.cortsol.net/adfs/
ls/?wa=wsignout1.0
"
Logout Binding typePick a binding type for your logout requests. This
setting states how SAML request and response
messages are mapped. We recommend to choose
the HTTP redirect method.
• HTTP Post
• HTTP redirect
Post
„urn:cortsol:names:tc:SAML:2.0:bin
dings:HTTP-POST“
Redirect
„urn:cortsol:names:tc:SAML:2.0:bin
dings:HTTP-Redirect“
Identity Provider Certificate
(Base64 encoded)
This is the token-signing certificate that we exported
to file in the first step „
Get Token-Signing Certifica
te
“. You can upload it here for us to store securely.
„-----BEGIN CERTIFICATE-----
a++++R0XNd+bDaBH2Jqpdln0+//asdsa
dadasd=
-----END CERTIFICATE-----“



screenshot: configure ezeep SAML settings


4. Create Relying Party Trust


To set up ezeep as an application that can be trusted by your ADFS, you need to create a Relying Party Trust on your ADFS. We have a preconfigured xml file for you that contains all necessary information to automatically configure your ADFS. You can find it after saving your first SAML Settings on the Single Sign On Settings screen. You can either save the link to the XML settings (we will need it on the ADFS server later) or store the whole file in case that your ADFS does not have an internet connection.

screenshot: access relying party trust XML


On the ADFS server
• Open your ADFS Management and go to Trust Relationships / Relying Party Trusts
• Add Relying Party Trust
• In the Wizard, you can import data by entering the link that you saved from our portal or point to the local xml file that you transferred to the server
• You can check the settings by continuing the Wizard

screenshot: import relying party data to ADFS

screenshot: import relying party data from XML file

 5. Configure Claim Rules


When a user knocks on our portal login door with a SAML token, we consider the token and evaluate certain attributes from it and use them accordingly. These attributes need to identify the user and the ezeep groups the user should be a member of. This way we can directly make printers accessible to users based on the groups and policies that exist in your ezeep portal.


Claim Rules are used to specify these attributes in the SAML tokens. Claim Rules map an attribute from your Active Directory user object to a key the ezeep service understands. For instance, you can choose which attribute you want to use to map your users to ezeep groups so ezeep can perform the assignment automatically when the user logs in.


Ezeep is looking for the following attributes:
 

Name Outgoing Claim Type Required Description Example
Name ID NameID YesNeeds to be in e-mail format.
We use the NameID to
identify a user.
john@cortsol.net
groupshttp://schemas.microsoft.
com/ws/ 2008/06/identity/
claims/groups
Required for users
to print
The strings in groups will
be matched with the name
strings of groups that the
admin created in our portal
cortsol.net\Domain
Users
First name first_name No, optionalWe display the first names
in your users view for you to
search for and filter users.
John
Last name last_name No, optionalWe display the last names
in your users view for you to
search for and filter users.
McClane


At the end of the Relying Party Trust Wizard you can directly open the Edit Claim Rules dialog. You will need it to configure your user settings just the way you want them. You can also open the dialog with a right click on the newly created Relying Party Trust for ezeep and click on Edit Claims:


screenshot: open claim rules dialog

 5.1 Transform an incoming Claim (Email to NameID)


The first rule set always must be the identifier as we require this attribute to identify a user. We require to have email addresses as the identifier that must be set. For this you can use the Claim rule template “Transform an Incoming Claim” 

screenshot: select the claim rule template


 In the template set the Incoming Claim as the E-Mail Address and the outgoing claim type as Name ID with E-Mail as the format. This will take the e-mail address attribute from your user and map it to Name ID so that we know that this is the attribute where we find the users E-Mail address: 

screenshot: configure transform claim rule

screenshot: check created claim rule 

 5.2 Send LDAP Attributes as Claim (Important for group assignment)


As a next step add another Claim rule and chose the “Send LDAP Attributes as Claims” template: 

screenshot: select LDAP claim template 

This opens a table where you can pick your intended AD attribute on the left and specify the outgoing claim on the right.


Your users always print per group rule sets that you can set in our ezeep portal. For us to assign them to the correct groups, you need to choose the LDAP attribute that you use for organizing your groups in your AD and map them to the outgoing claim
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups :
 

screenshot: configure claim rule


screenshot: check created claim rules


6. Set up groups in the ezeep Portal


In the ezeep portal the users are organized in groups. Groups have policies applied to them. Policies define access to printers and printer features. For the groups and policy system to work properly, the LDAP group attribute has to contain group information in the exact same format, the claim rules configured in the previous step communicates.


Here are a few examples:

AD Attribute Name Example
Token-Groups - Qualified by Domain Name • cortsol\Domain Users
Token-Groups as SIDs • S-1-5-21-1206454754-1378802883-1802596162-513
Token-Groups - Qualified by Long Domain Name • cortsol.net\Domain Users
Token-Groups - Unqualified Names • Domain Users
Is-Member-Of-DL • CN=Guests,CN=Builtin,DC=cortsol,DC=net
• CN=Users,CN=Builtin,DC=cortsol,DC=net


It is essential that you create the Groups in the ezeep portal with the exact same string as it is going out from your AD. Our workflow is to consider the SAML token, check the attribute “groups” and try to assign the users to the ezeep groups with the exactly same matching strings as names. There can be multiple groups in the attribute, we will try to match them all with the ezeep groups. If we do not find this group set up by you in our portal, we will just ignore it.


This check is performed every time a user logs in with a SAML token. We make sure that we clean the former groups assigned to a user before assigning the groups that we find in the new SAML token so that changes to groups are applied every time a user logs in with a new token. This makes sure that old groups, that the user were assigned to, get unassigned when we don’t find them in the SAML token anymore.

 User Sign-On


After ezeep and the directory service are linked via SAML, users can simply go to portal.ezeep.com and click on “Sign in with Organization ID” or go directly to https://accounts.ezeep.com/auth/signin/saml/

screenshot: sign in to ezeep with organization ID

 They need to enter the Organization ID that you set as Organization Identifier in the ezeep portal.
 

screenshot: enter organization ID
Once they enter the ID, they will be redirected to the link you provided as Identity Provider Login URL.
 

screenshot: sign in with directory service


After successful authentication on your Identity Provider, they will be redirected to the portal and can print per the groups that you set up.