This article assumes you've already configured Single Sign-On integration with FMX using Active Directory Federation Services (AD FS). Click here if you haven't yet configured Single Sign-On integration.
This step is entirely optional, however, if you would like to provision users directly through AD FS rather than through FMX, please follow the instructions below.
On-Prem Active Directory Federation Services (AD FS)
Synchronize user type:
- Create an AD security group for each FMX user type. Use a naming convention that makes sense for your organization, such as:
- "FMX User Type - FMX Administrator" for the "FMX Administrator" user type
- "FMX User Type - Maintenance Tech" for the "Maintenance Tech" user type
- Create an AD FS transform rule for each AD security group using the "Send Group Membership as a Claim" template. Follow this example for each user type:
- Transform rule name: "Set user type to FMX Administrator"
- User's group: "FMX User Type - FMX Administrator"
- Outgoing claim type: http://schemas. gofmx.com/ws/2015/05/identity/ claims/usertypeid
- Outgoing claim value: Enter the numeric identifier used by FMX for this user type. The identifier is exposed in the federation metadata document at: https://yourcompany.gofmx.com/federationmetadata/2007-06/federationmetadata.xml.
- Assign users to the appropriate security group in AD. Note that a user can only be assigned to a single user type and multiple assignments will result in a server error when authenticating with FMX.
Synchronize building access:
- Create an AD security group for each FMX building. Use a naming convention that makes sense for your organization, such as:
- "FMX Building - Sample Building 1" for the "Sample Building 1" building
- "FMX Building - Sample Building 2" for the "Sample Building 2" building
- Create an AD FS transform rule using the "Send Claims Using a Custom Rule" template to clear a user's building access:
- Transform rule name: "Clear building access"
- Custom rule: "=> issue(Type = "http://schemas.gofmx.com/ws/ 2015/05/identity/claims/buildingaccess", Value = "{ AllBuildings: true, Access: 'Deny' }");"
- Create an AD FS transform rule for each AD security group using the "Send Group Membership as a Claim" template. This will grant a user building access if they are a member of the AD security group. Follow this example for each building:
- Transform rule name: "Grant building access for Sample Building 1"
- User's group: "FMX Building - Sample Building 1"
- Outgoing claim type: http://schemas.gofmx.com/ws/2015/05/identity/claims/buildingaccess
- Outgoing claim value: "{ BuildingID: <value>, Access: 'Grant' }"
- Replace "<value>" with the numeric identifier used by FMX for this building. The identifier is exposed in the federation metadata document at: https://yourcompany.gofmx.com/federationmetadata/2007-06/federationmetadata.xml.
Assign users to the appropriate security groups in AD. Note that a user can be assigned access to multiple buildings in FMX.
Synchronize transportation driver flag:
- Create a single AD security group for transportation drivers. Use a naming convention that makes sense for your organization, such as:
- "FMX Transportation Driver"
- Create an AD FS transform rule using the "Send Claims Using a Custom Rule" template to clear a user's transportation driver flag:
- Transform rule name: "Clear transportation driver flag"
- Custom rule: " => issue(Type = "http://schemas.gofmx.com/ws/2015/05/identity/claims/candrive", Value = "");"
- Create an AD FS transform rule using the "Send Group Membership as a Claim" template to enable a user's transportation driver flag if they are a member of the AD security group:
- Transform rule name: "Enable transportation driver flag"
- User's group: "FMX Transportation Driver"
- Outgoing claim type: http://schemas.gofmx.com/ws/2015/05/identity/claims/candrive
- Outgoing claim value: "True"
- Assign appropriate users to this security group in AD.