What is single sign-on? What is involved in the integration?
Single sign-on is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems.
FMX supports the WS-Federation and SAML 2.0 specifications for SSO with AAD. Users with an on-premise AD FS installation can integrate with FMX using these instructions.
Azure Active Directory (AAD)
Configure AAD for https://hostname.gofmx.com/login:
- Create a new enterprise application through AAD.
- Navigate to the new application then click on Single sign-on under the Manage heading.
- Select the SAML single sign-on method.
- Edit and save Basic SAML configuration:
- Enter https://hostname.gofmx.com/ for Identifier (Entity ID).
- Enter https://hostname.gofmx.com/login/saml2/callback for Reply URL (Assertion Consumer Service URL).
- Edit User Attributes & Claims:
- Add a new claim named urn:oid:0.9.2342.19200300.100.1.3 with source attribute user.mail.
- Add a new claim named urn:oid:2.16.840.1.1137184.108.40.206 with source attribute user.displayname.
- (Optional) Add a new claim named urn:oid:220.127.116.11 with source attribute user.telephonenumber.
- Add a group claim, checking Security groups.
- Grant user access by going under the users and groups tab within the FMX application you created. We suggest adding an "all staff" security group. Those added here will have access to SSO. Users not listed here will receive an error.
- (Optional) Add a new claim named urndir:attribute-def:groups-mapping with source attribute of the mapping document generated following the instructions below titled Build the mapping document.
- Reply to this email with the value of App Federation Metadata Url under the SAML Signing Certificate header.
Build the mapping document
- Prepare a list of AAD group names and their object ID's to reference in step 3. Go to AAD > Groups > click Download groups.
- Prepare a list of FMX building and user type names and their ID's to reference in step 3. Navigate to https://hostname.gofmx.com/login/saml2/metadata and find this data in the descriptions of the urndir:attribute-def:building-access and urndir:attribute-def:user-type-id attributes.
- Use the prepared reference data to build a mapping document following the contextual documentation and sample data in the attached mapping document new-sample-groups-mapping.json. Be aware that there is a roughly 20k character limit on this document that's imposed by AAD.