What is single sign-on? What is involved in the integration?
Single sign-on is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems.
FMX supports the WS-Federation and SAML 2.0 specifications for SSO with AAD. Users with an on-premise AD FS installation can integrate with FMX using these instructions.
Azure Active Directory (AAD)
Configure AAD for https://hostname.gofmx.com/login:
- Create a new enterprise application through AAD.
- Navigate to the new application then click on Single sign-on under the Manage heading.
- Select the SAML single sign-on method.
- Edit and save Basic SAML configuration:
- Enter https://hostname.gofmx.com/ for Identifier (Entity ID).
- Enter https://hostname.gofmx.com/login/saml2/callback for Reply URL (Assertion Consumer Service URL).
- Edit User Attributes & Claims:
- Add a new claim named urn:oid:0.9.2342.19200300.100.1.3 with source attribute user.mail.
- Add a new claim named urn:oid:2.16.840.1.1137126.96.36.199 with source attribute user.displayname.
- (Optional) Add a new claim named urn:oid:188.8.131.52 with source attribute user.telephonenumber.
- Add a group claim, checking Security groups.
- Add a new claim named urndir:attribute-def:groups-mapping with source attribute of the mapping document generated following the instructions below titled Build the mapping document.
- Reply to this email with the value of App Federation Metadata Url under the SAML Signing Certificate header.
Build the mapping document
- Prepare a list of AAD group names and their object ID's to reference in step 3. Go to AAD > Groups > click Download groups.
- Prepare a list of FMX building and user type names and their ID's to reference in step 3. Navigate to https://hostname.gofmx.com/login/saml2/metadata and find this data in the descriptions of the urndir:attribute-def:building-access and urndir:attribute-def:user-type-id attributes.
- Use the prepared reference data to build a mapping document following the contextual documentation and sample data in the attached mapping document sample-groups-mapping.json. Be aware that there is a roughly 20k character limit on this document that's imposed by AAD.
- sample-groups-mapping.json (3 KB)