What is single sign-on? What is involved in the integration?
Single sign-on is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems.
FMX supports the WS-Federation and SAML 2.0 specifications for SSO with AAD. Users with an on-premise AD FS installation can integrate with FMX using these instructions.
Azure Active Directory (AAD)
Configure AAD for https://hostname.gofmx.com/login:
- Create a new enterprise application through AAD.
- Navigate to the new application then click on Single sign-on under the Manage heading.
- Select the SAML single sign-on method.
- Edit and save Basic SAML configuration:
- Enter https://hostname.gofmx.com/ for Identifier (Entity ID).
- Enter https://hostname.gofmx.com/login/saml2/callback for Reply URL (Assertion Consumer Service URL).
- Edit User Attributes & Claims:
- Add a new claim named urn:oid:0.9.2342.19200300.100.1.3 with source attribute user.mail.
- Add a new claim named urn:oid:2.16.840.1.113730.3.1.241 with source attribute user.displayname.
- (Optional) Add a new claim named urn:oid:2.5.4.20 with source attribute user.telephonenumber.
- Grant user access by going under the users and groups tab within the FMX application you created. We suggest adding an "all staff" security group. Those added here will have access to SSO. Users not listed here will receive an error.
- (Optional) Add a new claim named urn:fmx:dir:attribute-def:groups-mapping with source attribute of the mapping document generated following the instructions below titled Build the mapping document.
- Reply to this email with the value of App Federation Metadata Url under the SAML Signing Certificate header.
Optional: Build the mapping document
- Prepare a list of AAD group names and their object ID's to reference in step 3. Go to AAD > Groups > click Download groups.
- Prepare a list of FMX building and user type names and their ID's to reference in step 3. Navigate to https://hostname.gofmx.com/login/saml2/metadata and find this data in the descriptions of the urn:fmx:dir:attribute-def:building-access and urn:fmx:dir:attribute-def:user-type-id attributes.
- Use the prepared reference data to build a mapping document following the contextual documentation and sample data in the attached mapping document new-sample-groups-mapping.json. Be aware that there is a roughly 20k character limit on this document that's imposed by AAD.
Finish set up
- Once you have everything configured, send an email to your FMX Customer Success Manager to complete the integration.