What is single sign-on? What is involved in the integration?
Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems.
FMX supports identity providers (IdPs) that uses the SAML 2.0 specification for SSO. Since there are many different IdPs that support SAML 2.0, FMX is unable to provide specific instructions for each one.
The most common IdPs FMX customers utilize are:
If your organization does not utilize one of the most common IdPs above, please use the FAQs as a guide. FMX kindly asks that your organization attempts to configure SSO using the configuration values provided below. If after sending us your metadata, the SSO connection is unsuccessful, we will work with you to troubleshoot and resolve any issues.
What configuration values are needed?
- Audience: https://hostname.
gofmx.com/ - Recipient: https://hostname.
gofmx.com/login/saml2/callback - ACS (Consumer) URL Validator: ^https:/\/\
hostname\.gofmx\.com/\login/\ saml2/\callback$ - ACS (Consumer) URL: https://hostname.gofmx.
com/login/saml2/callback - Identifier (Entity ID): https://hostname.gofmx.
com/ - Reply URL (Assertion Consumer Service URL): https://hostname.gofmx.
com/login/saml2/callback
Which user attributes must be included in the SAML assertion?
- FMX’s assertion attribute requirements are described in our metadata file, found here: https://hostname.gofmx.com/login/saml2/metadata
- Bare minimum requirements: Name (Display name OR Given Name and Surname) and email
Can FMX provide the public key for their encryption cert?
- FMX does not support token encryption yet, but the assertions are still encrypted in transmission by TLS. We don’t store assertions or hand them off to intermediate parties as they’re consumed immediately at our end of the TLS connection.
Which name ID formats does FMX support?
- Currently, we only support the urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress name ID format.
When a customer attempts to log in with the SAML 2.0 button, they are redirected to a registration page.
- FMX shows the registration form when we don’t have the required fields needed to create an account. This can be resolved by providing assertions for given name and surname (which involves a configuration change on the customer's end).
Does the application support SCIM provisioning?
- FMX does not currently support SCIM provisioning.
Is there a fail over URL to login directly to the application in case of issues with SAML?
- Yes. Organizations may use a local login option that requires credentials created in FMX to authenticate.
How do I complete the integration with FMX?
- To complete the integration, we will need your metadata URL so that we can enable the single sign-on button on your FMX site.