What is single sign-on? What is involved in the integration?
Single sign-on is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems.
FMX supports the WS-Federation specification for SSO with on-prem AD FS. To integrate with an on-premise Active Directory installation, Active Directory Federation Services (AD FS) 2.0 is required. Users without on-premise AD FS can integrate with FMX using Azure Active Directory.
Scenario 1: On-Premise Active Directory with existing AD FS 2.0 installation
Add FMX as a relying party using the following information (refer to Scenario 2 for more detailed instructions on how to do this):
WS-Federation URL
- https://yourcompany.gofmx.com/federationmetadata/2007-06/federationmetadata.xml
Claims rules
- Copy the names or URLs below to the Outgoing Claim Type column. Each name is tied to each URL.
LDAP Attribute | Outgoing Claim Type |
---|---|
User-Principal-Name |
* Name ID or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier |
E-Mail-Addresses |
E-Mail Address or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
Given-Name |
Given Name or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
Surname |
Surname or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
Telephone-Number |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone |
Completing integration
Simply provide FMX with the federation metadata document that AD FS generates. You can find this document at the following URL:
- https://<your-ad-fs-server-hostname>/FederationMetadata/2007-06/FederationMetadata.xml
Note, this document is different from the one that was used to add FMX as a relying party. If your AD FS metadata document is exposed to the public internet (recommended) then you can simply provide FMX with its URL. However, if your AD FS server is only accessible from your organization's internal network then you'll need to provide a copy of the document.
Considerations
The disadvantage of providing a copy of the metadata document as opposed to a URL is the document contains a token signing certificate that expires, usually after one year, at which point you'll need to provide another copy. Also, it may cause an interruption in service if the certificate expires before you're able to provide FMX with a new copy. By providing a URL, FMX will seamlessly and automatically synchronize changes to your document in order to keep the certificate current.
*Optional Next steps:
Click here to learn how to configure AD FS to synchronize user access permissions.
Scenario 2: On-Premise Active Directory, no existing AD FS 2.0 installation
(This procedure was written for Windows Server 2008 R2. The steps may be slightly different for newer versions of Windows Server.)
Install AD FS 2.0
- Download and run the AD FS 2.0 installer from: http://www.microsoft.com/en-us/download/details.aspx?id=10909
- Choose "Federation server"
- Check "Start the AD FS 2.0 Management snap-in when this wizard closes" and close the installer
Configure AD FS 2.0
- From the "AD FS 2.0 Management" snap-in, click "AD FS 2.0 Federation Server Configuration Wizard"
- Choose "Create a new Federation Service"
- Choose "Stand-alone federation server"
- Select an SSL certificate (you should use a publicly signed certificate if users will authenticate outside of your internal network) and use the default Federation Service name
- Verify the following HTTP endpoints are accessible using a web browser:
- Federation metadata document: https://<your-ad-fs-server-hostname>/FederationMetadata/2007-06/FederationMetadata.xml
- Passive requestor endpoint: https://<your-ad-fs-server-hostname>/adfs/ls/ (should return an AD FS error page)
Add FMX as a relying party
- From the "AD FS 2.0 Management" snap-in, click "Add Relying Party Trust..." to start the Add Relying Party Trust Wizard
- Choose "Import data about the relying party published online or on a local network" and enter the FMX federation metadata URL: https://yourcompany.gofmx.com/federationmetadata/2007-06/federationmetadata.xml
- Choose "Permit all users to access this relying party"
- Check "Open the Edit Transform Claim Rule dialog for this relying party trust when the wizard closes" and close the wizard
- Click "Add Rule..." to start the Add Transform Claim Rule Wizard
- Choose "Send LDAP Attributes as Claims"
- Choose "Active Directory" and map the following LDAP attributes to outgoing claim types.
- Copy the names or URLs below to the Outgoing Claim Type column. Each name is tied to each URL.
LDAP Attribute | Outgoing Claim Type |
---|---|
User-Principal-Name |
* Name ID or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier |
E-Mail-Addresses |
E-Mail Address or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
Given-Name |
Given Name or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
Surname |
Surname or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
Telephone-Number |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone |
Completing integration
Provide your FMX Customer Success Manager with the federation metadata document that AD FS generates. You can find this document at the following URL:
https://<your-ad-fs-server-hostname>/FederationMetadata/2007-06/FederationMetadata.xml
Note, this document is different from the one that was used to add FMX as a relying party. If your AD FS metadata document is exposed to the public internet (recommended) then you can simply provide FMX with its URL. However, if your AD FS server is only accessible from your organization's internal network then you'll need to provide a copy of the document.
Considerations
The disadvantage of providing a copy of the metadata document as opposed to a URL is the document contains a token signing certificate that expires, usually after one year, at which point you'll need to provide another copy. Also, it may cause an interruption in service if the certificate expires before you're able to provide FMX with a new copy. By providing a URL, FMX will seamlessly and automatically synchronize changes to your document in order to keep the certificate current.
*Optional Next steps:
Click here to learn how to configure AD FS to synchronize user access permissions.