FMX Single Sign-On for SAML 2.0 FAQ

This document provides answers to frequently asked questions about FMX Single Sign-On (SSO) using SAML 2.0 for FMX customers.

1. What is SAML 2.0 SSO?

SAML 2.0 (Security Assertion Markup Language) is a standard protocol that allows users to log in to FMX using credentials from a trusted Identity Provider (IdP) like Azure, Okta, OneLogin, Google Workspace, ClassLink, or RapidIdentity. SSO simplifies authentication and improves security by centralizing login management.

2. Which Identity Providers are supported?

FMX supports SAML 2.0 SSO with the following IdPs:

• Okta
• Azure
• OneLogin
• Google Workspace (G Suite)
• ClassLink
• RapidIdentity

Other SAML 2.0–compliant IdPs may also work, but FMX testing and support are primarily for the above.

3. What FMX information is required to configure SAML 2.0?

The following values are typically required by your IdP:

• Entity ID / Audience: https://<your-fmx-hostname>/
• Assertion Consumer Service (ACS) / Reply URL: https://<your-fmx-hostname>/login/saml2/callback
• Recipient URL: https://<your-fmx-hostname>/login/saml2/callback

Note: FMX only requires the IdP Metadata URL once configured to complete the SSO setup.

4. Does FMX handle user provisioning?

No. FMX SSO integration covers authentication only. User provisioning and account management must be handled in your IdP and/or FMX separately.

SCIM Provisioning

FMX does not currently support SCIM provisioning.

5. How do I assign users to FMX in my IdP?

Assign users or groups to the FMX SAML application in your IdP dashboard. Only users assigned to the application will be able to log in via SSO.

6. Which user attributes must be included in the SAML assertion?

FMX’s assertion attribute requirements are described in our metadata file, found here:

• https://yourcompany.gofmx.com/federationmetadata/2007-06/federationmetadata.xml

Bare Minimum Requirements:

• Name: Display Name OR Given Name and Surname
• Email: User Email (used as the unique identifier)

Additional attributes like firstName and lastName are recommended to enhance user profiles in FMX but are not strictly required.

7. Which NameID formats does FMX support?

FMX currently supports only the following NameID format:

• urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

8. Can FMX provide the public key for encryption?

FMX does not support token encryption yet. Assertions are transmitted securely using TLS, are consumed immediately on our end, and are not stored or shared with intermediate parties.

9. When a user is redirected to the registration page after SAML login

FMX shows the registration form when required fields are missing to create a new account. To avoid this, ensure that the SAML assertion includes both given name and surname attributes. This requires configuration changes on the customer’s IdP.

10. Is there a failover login option in case of SAML issues?

Yes. Organizations may use a local FMX login option, which requires credentials created in FMX to authenticate.

11. How do I complete the integration with FMX?

To complete the integration, provide your IdP Metadata URL to FMX Support so we can enable the SSO button on your FMX site.

12. How do I test SSO before rolling it out to all users?

Recommended test steps:

1. Assign a small set of test users to the FMX application in your IdP
2. IdP-initiated login: Launch FMX directly from your IdP’s application portal
3. SP-initiated login: Log in from the FMX login page using the SSO option
4. Verify login, attributes, and access

13. What are common errors and how do I troubleshoot?

• Invalid Audience / Entity ID: Verify the Entity ID matches exactly with FMX
• User not found: Confirm the email in the SAML assertion matches the FMX user email
• Signature validation errors: Ensure the correct IdP Metadata URL is used and that assertions are signed if required

14. Can multiple IdPs be used for one FMX tenant?

FMX supports one IdP configuration per tenant for SAML 2.0 SSO. Multiple IdPs would require separate FMX tenants or custom solutions.

15. Where can I find setup guides for specific IdPs?

FMX provides step-by-step SSO setup guides for supported IdPs:

• Okta SSO Setup Guide for FMX
• Azure SSO Setup Guide
• OneLogin SSO Setup Guide for FMX
• FMX Single Sign-On for Google Apps
• ClassLink SSO Setup Guide for FMX
• Single Sign-On For RapidIdentity

These guides provide exact FMX SAML values and instructions for connecting your IdP.

16. Need additional help?

If you need assistance with your SSO setup, contact FMX Support with the following information:

• Your FMX tenant URL
• IdP Metadata URL
• Any error messages or screenshots

Once configured, users can securely access FMX using SAML 2.0 Single Sign-On from your Identity Provider.