This article assumes you've already configured Single Sign-On integration with FMX using Active Directory Federation Services (AD FS). Click here if you haven't yet configured Single Sign-On integration.
On-Prem Active Directory Federation Services (AD FS)
Synchronize user type:
- Create an AD security group for each FMX user type. Use a naming convention that makes sense for your organization, such as:
- "FMX User Type - FMX Administrator" for the "FMX Administrator" user type
- "FMX User Type - Maintenance Tech" for the "Maintenance Tech" user type
- Create an AD FS transform rule for each AD security group using the "Send Group Membership as a Claim" template. Follow this example for each user type:
- Transform rule name: "Set user type to FMX Administrator"
- User's group: "FMX User Type - FMX Administrator"
- Outgoing claim type: http://schemas.
gofmx.com/ws/2015/05/identity/ claims/usertypeid - Outgoing claim value: Enter the numeric identifier used by FMX for this user type. The identifier is exposed in the federation metadata document at: https://yourcompany.gofmx.com/federationmetadata/2007-06/federationmetadata.xml.
- Assign users to the appropriate security group in AD. Note that a user can only be assigned to a single user type and multiple assignments will result in a server error when authenticating with FMX.
Synchronize building access:
- Create an AD security group for each FMX building. Use a naming convention that makes sense for your organization, such as:
- "FMX Building - Sample Building 1" for the "Sample Building 1" building
- "FMX Building - Sample Building 2" for the "Sample Building 2" building
- Create an AD FS transform rule using the "Send Claims Using a Custom Rule" template to clear a user's building access:
- Transform rule name: "Clear building access"
- Custom rule: "=> issue(Type = "http://schemas.gofmx.com/ws/
2015/05/identity/claims/buildingaccess", Value = "{ AllBuildings: true, Access: 'Deny' }");"
- Create an AD FS transform rule for each AD security group using the "Send Group Membership as a Claim" template. This will grant a user building access if they are a member of the AD security group. Follow this example for each building:
- Transform rule name: "Grant building access for Sample Building 1"
- User's group: "FMX Building - Sample Building 1"
- Outgoing claim type: http://schemas.gofmx.com/ws/2015/05/identity/claims/buildingaccess
- Outgoing claim value: "{ BuildingID: <value>, Access: 'Grant' }"
- Replace "<value>" with the numeric identifier used by FMX for this building. The identifier is exposed in the federation metadata document at: https://yourcompany.gofmx.com/federationmetadata/2007-06/federationmetadata.xml.
Assign users to the appropriate security groups in AD. Note that a user can be assigned access to multiple buildings in FMX.
Synchronize transportation driver flag:
- Create a single AD security group for transportation drivers. Use a naming convention that makes sense for your organization, such as:
- "FMX Transportation Driver"
- Create an AD FS transform rule using the "Send Claims Using a Custom Rule" template to clear a user's transportation driver flag:
- Transform rule name: "Clear transportation driver flag"
- Custom rule: " => issue(Type = "http://schemas.gofmx.com/ws/2015/05/identity/claims/candrive", Value = "");"
- Create an AD FS transform rule using the "Send Group Membership as a Claim" template to enable a user's transportation driver flag if they are a member of the AD security group:
- Transform rule name: "Enable transportation driver flag"
- User's group: "FMX Transportation Driver"
- Outgoing claim type: http://schemas.gofmx.com/ws/2015/05/identity/claims/candrive
- Outgoing claim value: "True"
- Assign appropriate users to this security group in AD.
Azure Active Directory (AAD)
Configure AAD for https://hostname.gofmx.com/login:
- Create a new enterprise application through AAD.
- Navigate to the new application then click on Single sign-on under the Manage heading.
- Select the SAML single sign-on method.
- Edit and save Basic SAML configuration:
- Enter https://hostname.gofmx.com/ for Identifier (Entity ID).
- Enter https://hostname.gofmx.com/login/saml2/callback for Reply URL (Assertion Consumer Service URL).
- Edit User Attributes & Claims:
- Add a new claim named urn:oid:0.9.2342.19200300.100.1.3 with source attribute user.mail.
- Add a new claim named urn:oid:2.16.840.1.113730.3.1.241 with source attribute user.displayname.
- (Optional) Add a new claim named urn:oid:2.5.4.20 with source attribute user.telephonenumber.
- Add a group claim, checking Security groups.
- Add a new claim named urndir:attribute-def:groups-mapping with source attribute of the mapping document generated following the instructions below titled Build the mapping document.
- Reply to this email with the value of App Federation Metadata Url under the SAML Signing Certificate header.
Build the mapping document
- Prepare a list of AAD group names and their object ID's to reference in step 3. Go to AAD > Groups > click Download groups.
- Prepare a list of FMX building and user type names and their ID's to reference in step 3. Navigate to https://hostname.gofmx.com/login/saml2/metadata and find this data in the descriptions of the urndir:attribute-def:building-access and urndir:attribute-def:user-type-id attributes.
- Use the prepared reference data to build a mapping document following the contextual documentation and sample data in the attached mapping document sample-groups-mapping.json. Be aware that there is a roughly 20k character limit on this document that's imposed by AAD.
- sample-groups-mapping.json (3 KB)