Summary
Cloud Drive Mapper delivers the best and most-seamless user experience when a browser based SSO solution is implemented with Office 365. With SSO in place, Cloud Drive Mapper will authenticate with Office 365 automatically at start-up, and automatically map the user's drives without the user even being aware that it is happening.
To confirm that SSO is working via a browser - navigate to portal.office.com and if signed into office log out and then choose log back in, but with a different user account. Then use the same email address (this is to prove SSO, so you're not using a cached credential), if you are then prompted for a password, SSO is not enabled. If you don't have to enter a password, then SSO is working, as its pulling in the password from the logged in windows profile.
Cloud Drive Mapper natively supports single sign-on (SSO) from most major single sign-on providers, including:
- ADFS*
- Azure AD Connect *
- IAM Cloud
- Okta
- OneLogin
- PingID
- VMWare Identity Manager
- Plus a wide range of other SSO platforms that support the OAuth and MSAL protocols.
Azure AD connect is by the far most popular and common SSO method. There are numerous setup guides online, such as - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start These can be followed to enable SSO.
If no SSO is available then users can expect to have to authenticate into CDM when they login to windows. However the frequency of these authentication attempts can be reduced if the user account can be added to the 'Email and Accounts' section in windows, or if the machines / profiles can be joined to Azure AD. The status of this can be checked with the command - dsregcmd /status:
* In most cases, SSO will "just work", however there is one situations with Azure AD Connect and ADFS, where some minor config changes may be required to enable full compatibility. See below for more details:
ADFS / Azure AD connect UPN & Email Mismatch
If the user accounts are synced from Active Directory to Office 365, then by default CDM will try and authenticate with the mail attribute. In some cases the mail can be different to the UPN, and the UPN is used as the default 365 authentication address. If your ADFS or Azure AD connect is set-up in this way, then you will need to add two registry keys to tell CDM to use the UPN and not the mail. Ideally these need to be deployed to HKCU, however they can go in HKLM
Computer\HKEY_CURRENT_USER\Software\IAM Cloud\CloudDriveMapper
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\IAM Cloud\CloudDriveMapper
ADattribute = UserPrincipalName
CredentialCacheOverride = true
All keys are reg sz / string values
REG ADD "HKCU\Software\IAM Cloud\CloudDriveMapper" /v "ADAttribute" /t "REG_SZ" /d "UserPrincipalName" /f
REG ADD "HKCU\Software\IAM Cloud\CloudDriveMapper" /v "CredentialCacheOverride" /t "REG_SZ" /d "True" /f
REG ADD "HKLM\Software\IAM Cloud\CloudDriveMapper" /v "ADAttribute" /t "REG_SZ" /d "UserPrincipalName" /f
REG ADD "HKLM\Software\IAM Cloud\CloudDriveMapper" /v "CredentialCacheOverride" /t "REG_SZ" /d "True" /f
If you need any assistance please do not hesitate to contact us at support@iamcloud.com