Setting Up SAML in GoAnywhere

Web Users SAML Set Up

Step 1: Create a Web User Template for SAML web users

I created ‘SAMLWU’ with HTTPS and secure folders

Step 2: Create an Admin User Template for SAML Admin users

I created ‘SAMLAdmin’ with all roles assigned

 Step 3: Create a certificate - Go to Encryption – Key Management System 

Select System Vault – Certificates - Add a Certificate

Click Save

Step 4: Export the Head Certificate for reference

Open it in notepad

Step 5: Export certificate again with private key, as a .p12 file

Step 6: Log in to Azure with your Admin account to create an Enterprise Application

Select ‘Enterprise Applications’ from services

Click on ‘+ New Application’

Click on ‘+ Create your own application’ - I named my app gademowu 

Click Create 

This takes a few seconds for Azure to create the application.

 Step 7: Go straight to ‘2. Set up single sign on’

Click SAML

IMPORTANT

Step 8: Go straight to SAML Certificates and click Edit

Step 9: Click Import Certificate 

This is the certificate exported from GoAnywhere as a .p12 file

Note that the file filter is by default on .pfx, you will need to change this 

Provide the password chosen during the export

 Click the … (three dots) at the end of the inactive certificate (top right) and select to make the certificate active.  

Ignore the warning

 Step 10: Next click on edit next to Basic SAML Configuration

Add an identifier, I used gademoWU

Add your URL for Reply, Sign-on, Relay State and Logout URL, I used https://gademo.pro2col.com for everything. This will be your system name

Hit Save

Step 11: Click on ‘users and groups’ on the far left, then click ‘+ Add user/group’

Click ‘None Selected’ on the far left, then enter ‘All’ in the search field to find the All-Users group

 Click ‘All Users’ then press Select.  You will see it now says 1 group selected 

Click the Assign button

Step 12: Go back to the ‘Single Sign-on’ option on the left

Scroll to the end of the SAML Certificates section and click Download to get the Federation Metadata XML

Save this file to your machine and open in notepad

Step 13: Search for the string X509Certificate

Check the text that follows in the tag.  This MUST match the CRT certificate that you downloaded (not the .p12).  You can ignore formatting, but just check that the first and last few characters are the same, in my case ‘MIIDh’ and ‘TrJyZwXA==’

If this does not match, delete the Enterprise Application, and start again

Note that the certificate string appears 4 times in the metadata XML file, this is expected

Step 14: In GoAnywhere, create a new User > Login Method

Select the + Add Login Method button

Select SAML Single Sign On and Web Users, then press continue

 Step 15: On the General tab, enter a Name and URL

This will be your system URL to the web client

 Step 16: Then go to Identity Provider

Click on Import Metadata and select your metadata file generated in Azure

Press Import

Step 17: Click on Service Provider tab

Enter the Entity ID that you specified in Azure

Select your server certificate for the private key name (can be the certificate that you created if you want)

Turn off ‘Force Authentication’ to allow non-AD users to enter creds

Set Authentication Comparison to Exact

Enter your URL (again)

Step 18: Go to the Web User tab

Complete the fields as shown:

NameID Format                           Email Address

Username Location                     Attribute

Attribute Name*                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Parse Username Value              Yes

Username Pattern*                     ([^@]+)

Create User Automatically          Yes

Update User Info                         Yes

Attribute Mappings

First Name                                   http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Last Name                                   http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Email                                           http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Web User Template                    SAMLWU

Finally, Hit Save

Step 19: Go to Services > Service Manager

Edit the HTTPS Service and go to listener: default (General tab)

Set SAML Single Sign-On to be SAMLWU

Save and Restart the HTTPS service (on all application machines)

Step 20: Go to Login Settings and click on the Default Login Methods tab

Select the Default Login Method you created for the SAML Web Users (in this case it was SAMLWU)

The same default selection will need to be selected for the Admin User SAML set-up later

Step 21: In Login Settings, select the Login Routing Methods tab

Add a new User Name Pattern to the web client rules section, and select the Login Method SAMLWU created for SAML Web Users to link the pattern to the relevant method

Click Save

 Test with a web user

Admin Users SAML Set Up

Go back to Azure and create another new Enterprise Application, I called mine gademoad

Follow the same process of importing the p12 certificate before doing anything else (Step 8 above). Remember to set it as the Active Certificate 

Update the basic config using the admin port address this time:

Remember to add the ‘All users’ group

Export the Federation Metadata for this application and open the XML file.  

CHECK THAT YOU ARE STILL SEEING THE SAME CERTIFICATE AS FOR THE WEB USERS

If it matches, it is safe to import into GoAnywhere – during the import you will need to overwrite the existing certificate, so it is essential that it matches.

Add a new Login Method, this time for admin users

Click continue

For Admins, the URL should now include the administration port 8001

 Identity Provider tab for SAML Admin users

Import the Metadata File exported from the Azure Admins Enterprise Application

Notice the same certificate name as used previously – in fact, any certificate created from this Azure tenant will have this name!

 Service Provider tab for admin SAML

On the admin interface we expect all admins to be SAML authenticated so leave ‘force authentication’ on.  If this is not the case, you must also update login settings for admin users in the same way as for web users

Admin User tab

Enter the following string into the Attribute Mappings – Email field:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Remember to select the default Login Settings for Admin Users by linking it to the Admin SAML login method)

Finally, go to System > Admin Server and edit the admin server secure listener

 Turn off Force Authentication if you want non-SAML Admins to be able to access the Admin console

Any changes to the Admin Server require a full Stop and Re-start of the GoAnywhere service on the machine.

Restart the GoAnywhere service on the server and test