What is single sign-on? What is involved in the integration?
Single sign-on is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems.
FMX supports the WS-Federation and SAML 2.0 specifications for SSO with AAD. Users with an on-premise AD FS installation can integrate with FMX using these instructions.
Azure Active Directory (AAD)
Configure AAD for https://hostname.gofmx.com/login:
- Create a new enterprise application through AAD.
- Navigate to the new application then click on Single sign-on under the Manage heading.
- Select the SAML single sign-on method.
- Edit and save Basic SAML configuration:
- Enter https://hostname.gofmx.com/ for Identifier (Entity ID).
- Enter https://hostname.gofmx.com/login/saml2/callback for Reply URL (Assertion Consumer Service URL).
- Edit User Attributes & Claims:
- Add a new claim named urn:oid:0.9.2342.19200300.100.1.3 with source attribute user.mail.
- Add a new claim named urn:oid:2.16.840.1.113730.3.1.241 with source attribute user.displayname.
- (Optional) Add a new claim named urn:oid:2.5.4.20 with source attribute user.telephonenumber.
- Grant user access by going under the users and groups tab within the FMX application you created. We suggest adding an "all staff" security group. Those added here will have access to SSO. Users not listed here will receive an error.
- (Optional) Add a new claim named urn:fmx:dir:attribute-def:groups-mapping with source attribute of the mapping document generated following the instructions below titled Build the mapping document.
- Reply to this email with the value of App Federation Metadata Url under the SAML Signing Certificate header.
Optional: Build the mapping document/Mapping Tool
-
-
Prepare a list of AAD group names and their object ID's to reference in step 3. Go to AAD > Groups > click Download groups.
-
Prepare a list of FMX building and user type names and their ID's to reference in step 3.
-
Use the Mapping SSO Tool in your FMX site. (A member of our team will turn this feature on)
-
To access the tool in your FMX site go to the Admin Settings and then go to the "SSO Groups Mapping" section at the top
- This tool will allow you to map a user's external directory (e.g. Azure Active Directory) groups to FMX user types and building access. When a user signs on to FMX through SSO, the rules defined below run in sequential order with input from the SSO token's groups claim. Rules that specify an IfMemberOf condition only run if the user is a member of the specified external directory group, as dictated by the groups claim in their SSO token.
- Fill out the template with your IDs. If there is an error a warning will appear with which line there is an issue
- Click "Save" when you are done
-
-
Finish set up
- Once you have everything configured, send an email to your FMX Customer Success Manager to complete the integration.