What is single sign-on? What is involved in the integration?
Single sign-on is a workflow that allows users within an organization to access their FMX site without entering a username or password. The user’s log in information is automatically obtained from the organization’s internal network and passed through to FMX behind the scenes.
The integration consists of the organization’s IT department configuring their internal system to support the connection with FMX. Skip this if your company is not using the single-sign on integration. If your company has chosen to use single-sign on integration, please read the directions below.
FMX supports the SAML 2.0 specification for single sign-on (SSO) integration. Please view the FAQ below for more information.
What configuration values are needed?
- SAML Consumer URL: https://hostname.gofmx.com/login/saml2/callback
- SAML Audience URL: https://hostname.gofmx.com/
Which user attributes must be included in the SAML assertion?
- FMX’s assertion attribute requirements are described in our metadata file, found here: https://hostname.gofmx.com/login/saml2/metadata
- Bare minimum requirements: Name (Display name OR Given Name and Surname) and email
Can FMX provide the public key for their encryption cert?
- FMX does not support token encryption yet, but the assertions are still encrypted in transmission by TLS. We don’t store assertions or hand them off to intermediate parties as they’re consumed immediately at our end of the TLS connection.
Which name ID formats does FMX support?
- Currently, we only support the urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress name ID format.
When a customer attempts to log in with the SAML 2.0 button, they are redirected to a registration page.
- FMX shows the registration form when we don’t have the required fields needed to create an account. This can be resolved by providing assertions for given name and surname (which involves a configuration change on the customer's end).
Does the application support SCIM provisioning?
- FMX does not currently support SCIM provisioning.
Is there a fail over URL to login directly to the application in case of issues with SAML?
- Yes. Organizations may use a local login option that requires credentials created in FMX to authenticate.
How do I complete the integration with FMX?
- To complete the integration, we will need your metadata URL so that we can enable the single sign-on button on your FMX site.