This article assumes you have already configured Single Sign-On (SSO) integration with FMX using Active Directory Federation Services (AD FS).Not yet set up SSO? Click here to configure SSO with AD FS first.OverviewSynchronizing user access permissions from AD FS to FMX is optional. By following these steps, you can automatically provision: FMX user types FMX building access FMX transportation driver flags Note: If you do not configure these mappings, you can still use SSO for authentication. This feature simply automates the assignment of user roles, building access, and driver privileges based on AD group membership.1. Synchronizing FMX User Types Create AD Security Groups for Each User TypeUse a naming convention that is clear for your organization, for example: FMX User Type - FMX Administrator FMX User Type - Maintenance Tech Create AD FS Transform Rules Open AD FS Management → Relying Party Trusts → Edit Claim Rules Click Add Rule… → Send Group Membership as a Claim Configure for each user type as follows: Transform rule name: Set user type to FMX Administrator User’s group: FMX User Type - FMX Administrator Outgoing claim type: http://schemas.gofmx.com/ws/2015/05/identity/claims/usertypeid Outgoing claim value: Numeric ID for this user type (see your FMX federation metadata) Assign Users to AD Security Groups Each user can belong to only one user type. Multiple user type assignments will result in authentication errors. 2. Synchronizing FMX Building Access Create AD Security Groups for Each FMX BuildingExamples: FMX Building - Sample Building 1 FMX Building - Sample Building 2 Clear Existing Building Access (Optional) Add an AD FS transform rule using Send Claims Using a Custom Rule: Transform rule name: Clear building access Custom rule: => issue(Type = "http://schemas.gofmx.com/ws/2015/05/identity/claims/buildingaccess", Value = "{ AllBuildings: true, Access: 'Deny' }"); Grant Access Based on AD Security Groups For each building, create a transform rule using Send Group Membership as a Claim: Transform rule name: Grant building access for Sample Building 1 User’s group: FMX Building - Sample Building 1 Outgoing claim type: http://schemas.gofmx.com/ws/2015/05/identity/claims/buildingaccess Outgoing claim value: { BuildingID: <value>, Access: 'Grant' } Replace <value> with the numeric ID for this building (see your federation metadata) Assign Users to AD Security Groups Users can be members of multiple building groups to gain access to multiple FMX locations. 3. Synchronizing Transportation Driver Flag Create AD Security Group Example: FMX Transportation Driver Clear Existing Driver Flag (Optional) Add an AD FS transform rule using Send Claims Using a Custom Rule: Transform rule name: Clear transportation driver flag Custom rule: => issue(Type = "http://schemas.gofmx.com/ws/2015/05/identity/claims/candrive", Value = ""); Grant Driver Flag Based on Group Membership Add an AD FS transform rule using Send Group Membership as a Claim: Transform rule name: Enable transportation driver flag User’s group: FMX Transportation Driver Outgoing claim type: http://schemas.gofmx.com/ws/2015/05/identity/claims/candrive Outgoing claim value: True Assign Users to AD Security Group Only users who need the transportation driver role should be in this group. Notes and Best Practices Use clear, consistent naming conventions for AD security groups. Verify the numeric IDs for user types and buildings from the FMX federation metadata. Testing: Always validate with a test user before deploying organization-wide. Multiple building assignments are allowed, but only one user type per user is allowed. Troubleshooting Authentication fails for users: Check that users are in the correct AD FS groups and that only one user type is assigned. Building or driver claims not applied: Ensure transform rules are correctly configured and ordered. Claim values incorrect: Verify numeric IDs in the federation metadata document match the outgoing claim values. Was this article helpful? 0 out of 2 found this helpful