This article assumes you've already configured Single Sign-On integration with FMX using Active Directory Federation Services (AD FS). Click here if you haven't yet configured Single Sign-On integration.

On-Prem Active Directory Federation Services (AD FS)

Synchronize user type:

1. Create an AD security group for each FMX user type. Use a naming convention that makes sense for your organization, such as:
   • "FMX User Type - FMX Administrator" for the "FMX Administrator" user type
   • "FMX User Type - Maintenance Tech" for the "Maintenance Tech" user type
2. Create an AD FS transform rule for each AD security group using the "Send Group Membership as a Claim" template. Follow this example for each user type:
   • Transform rule name: "Set user type to FMX Administrator"
   • User's group: "FMX User Type - FMX Administrator"
   • Outgoing claim type: http://schemas. gofmx.com/ws/2015/05/identity/ claims/usertypeid
   • Outgoing claim value: Enter the numeric identifier used by FMX for this user type. The identifier is exposed in the federation metadata document at: https://yourcompany.gofmx.com/federationmetadata/2007-06/federationmetadata.xml.
3. Assign users to the appropriate security group in AD. Note that a user can only be assigned to a single user type and multiple assignments will result in a server error when authenticating with FMX.

Synchronize building access:

• Create an AD security group for each FMX building. Use a naming convention that makes sense for your organization, such as:
  • "FMX Building - Sample Building 1" for the "Sample Building 1" building
  • "FMX Building - Sample Building 2" for the "Sample Building 2" building
• Create an AD FS transform rule using the "Send Claims Using a Custom Rule" template to clear a user's building access:
  • Transform rule name: "Clear building access"
  • Custom rule: "=> issue(Type = "http://schemas.gofmx.com/ws/ 2015/05/identity/claims/buildingaccess", Value = "{ AllBuildings: true, Access: 'Deny' }");"
• Create an AD FS transform rule for each AD security group using the "Send Group Membership as a Claim" template. This will grant a user building access if they are a member of the AD security group. Follow this example for each building:
  • Transform rule name: "Grant building access for Sample Building 1"
  • User's group: "FMX Building - Sample Building 1"
  • Outgoing claim type: http://schemas.gofmx.com/ws/2015/05/identity/claims/buildingaccess
  • Outgoing claim value: "{ BuildingID: <value>, Access: 'Grant' }"
    • Replace "<value>" with the numeric identifier used by FMX for this building. The identifier is exposed in the federation metadata document at: https://yourcompany.gofmx.com/federationmetadata/2007-06/federationmetadata.xml.

Assign users to the appropriate security groups in AD. Note that a user can be assigned access to multiple buildings in FMX.

Synchronize transportation driver flag:

1. Create a single AD security group for transportation drivers. Use a naming convention that makes sense for your organization, such as:
• "FMX Transportation Driver"
2. Create an AD FS transform rule using the "Send Claims Using a Custom Rule" template to clear a user's transportation driver flag:
• Transform rule name: "Clear transportation driver flag"
• Custom rule: " => issue(Type = "http://schemas.gofmx.com/ws/2015/05/identity/claims/candrive", Value = "");"
3. Create an AD FS transform rule using the "Send Group Membership as a Claim" template to enable a user's transportation driver flag if they are a member of the AD security group:
• Transform rule name: "Enable transportation driver flag"
• User's group: "FMX Transportation Driver"
• Outgoing claim type: http://schemas.gofmx.com/ws/2015/05/identity/claims/candrive
• Outgoing claim value: "True"
4. Assign appropriate users to this security group in AD.

 

Azure Active Directory (AAD)

Configure AAD for https://hostname.gofmx.com/login:

1. Create a new enterprise application through AAD.
2. Navigate to the new application then click on Single sign-on under the Manage heading.
3. Select the SAML single sign-on method.
4. Edit and save Basic SAML configuration:
5. Enter https://hostname.gofmx.com/ for Identifier (Entity ID).
6. Enter https://hostname.gofmx.com/login/saml2/callback for Reply URL (Assertion Consumer Service URL).
7. Edit User Attributes & Claims:
8. Add a new claim named urn:oid:0.9.2342.19200300.100.1.3 with source attribute user.mail.
9. Add a new claim named urn:oid:2.16.840.1.113730.3.1.241 with source attribute user.displayname.
10. (Optional) Add a new claim named urn:oid:2.5.4.20 with source attribute user.telephonenumber.
11. Add a group claim, checking Security groups.
12. Add a new claim named urndir:attribute-def:groups-mapping with source attribute of the mapping document generated following the instructions below titled Build the mapping document.
13. Reply to this email with the value of App Federation Metadata Url under the SAML Signing Certificate header.

Build the mapping document

1. Prepare a list of AAD group names and their object ID's to reference in step 3. Go to AAD > Groups > click Download groups.
   
   
2. Prepare a list of FMX building and user type names and their ID's to reference in step 3. Navigate to https://hostname.gofmx.com/login/saml2/metadata and find this data in the descriptions of the urndir:attribute-def:building-access and urndir:attribute-def:user-type-id attributes.
   
   
3. Use the prepared reference data to build a mapping document following the contextual documentation and sample data in the attached mapping document sample-groups-mapping.json. Be aware that there is a roughly 20k character limit on this document that's imposed by AAD.