Single Sign-On for Azure Active Directory (AAD)

What is single sign-on? What is involved in the integration?

Single sign-on is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems. You must be signed into the Microsoft Entra admin center as at least a Cloud Application Administrator to complete the following steps.

Step 1: Create the FMX Application in Azure AD

1. Sign in to Azure AD.

2. Navigate to Enterprise Applications.

3. Select New Application located at the top of the page.

4. Name the application (for example, “FMX”) and create it.

Step 2: Configure SAML Single Sign-On

1. Open the FMX application in Azure AD.

2. Navigate to Single Sign-On.

3. Select SAML as the sign-on method.

4. Edit the Basic SAML Configuration and enter the following values:

• Identifier (Entity ID):
  https://hostname.gofmx.com/

• Reply URL / Assertion Consumer Service (ACS):
  https://hostname.gofmx.com/login/saml2/callback

• Sign-on URL:
  Leave this field blank

Replace hostname with your FMX tenant hostname. Leaving the sign-on URL blank helps prevent login issues.

Save the configuration.

Step 3: Configure User Attributes & Claims

Add the following claims under User Attributes & Claims per the Microsoft document:

On the Attributes & Claims page, select Add new claim. Enter the Claim Name. Next to Source select Attribute. Then use the drop-down list to select the below corresponding attribute.

• Email Address Claim
  Claim name: urn:oid:0.9.2342.19200300.100.1.3
  Source attribute: user.mail

• Display Name Claim
  Claim name: urn:oid:2.16.840.1.113730.3.1.241
  Source attribute: user.displayname

• Phone Number Claim (Optional)
  Claim name: urn:oid:2.5.4.20
  Source attribute: user.telephonenumber

Save your changes.

Step 4: Assign Users to the Application

1. Navigate to Users and Groups within the FMX application.

2. Assign the users or security groups that should be allowed to log in using SSO.

Only users assigned here will be able to authenticate. Unassigned users will receive an error.

Step 5: Complete the Integration

1. Locate the App Federation Metadata URL in the SAML Signing Certificate section of Azure AD.

2. Send this metadata URL to your FMX Customer Success Manager.

3. FMX Support will complete the final steps to enable SSO on your site.
   
   
   Optional: Azure AD Group Claims and Mappings
   Organizations that wish to configure Azure AD claim rules and group mappings can reference the following support article. This configuration is optional and managed by each organization’s IT team. It does not affect the core functionality of Single Sign-On, but can be used to automate FMX user type assignments and building access.