FMX Single Sign-On for SAML 2.0 FAQ

What is single sign-on? What is involved in the integration?

Single sign-on is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems.

FMX supports identity providers (IdPs) that uses the SAML 2.0 specification for SSO. This includes IdPs such as Okta or OneLogin. Please view the FAQ below for more information.

What configuration values are needed?

• SAML Consumer URL:  https://hostname.gofmx.com/login/saml2/callback  

• SAML Audience URL: https://hostname.gofmx.com/ 

Which user attributes must be included in the SAML assertion?

• FMX’s assertion attribute requirements are described in our metadata file, found here: https://hostname.gofmx.com/login/saml2/metadata
• Bare minimum requirements: Name (Display name OR Given Name and Surname) and email

Can FMX provide the public key for their encryption cert?

• FMX does not support token encryption yet, but the assertions are still encrypted in transmission by TLS. We don’t store assertions or hand them off to intermediate parties as they’re consumed immediately at our end of the TLS connection.

Which name ID formats does FMX support?

• Currently, we only support the urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress name ID format.

When a customer attempts to log in with the SAML 2.0 button, they are redirected to a registration page.

• FMX shows the registration form when we don’t have the required fields needed to create an account. This can be resolved by providing assertions for given name and surname (which involves a configuration change on the customer's end).

How do I complete the integration with FMX?

• To complete the integration, we will need your metadata URL so that we can enable the single sign-on button on your FMX site.