SAML2 for a custom provider
Which Identity Providers are supported for SAML2?
Flexopus implemented the standard SAML2 Single Sign On protocol, which suppose to work with any Identity Providers that follows the SAML2 standard. Flexopus acts as a Service Provider. Therefore, you can try to connect your Identity Provider, even if we do not provide a specific step by step description on how to configure your specific Identity Provider.
Still, we created for the most commonly used Identity Providers a step-by-step instruction manual:
SAML2 Instruction Manual
STEP 1 - Metadata parameters
Navigate in Flexopus as an administrator to Dashbaord > Settings > Authentication
. Click in the Add provider
button and select the SAML2 SSO
option.
Here you can find the Entity ID
, Callback (ACS) URL
, Relay state
, Metadata URL
and the Metadata file
. These configuration parameters will be necessary to configure your Identity Provider.
To finish the configuration steps within Flexopus you will need to enter the Metadata URL
or upload the Metadata File
of your Identity Provider. Configure it and enable the SAML2 SSO.
Enter the name of the SAML2 Login button, which will be displayed on the login page. Recommendation: SSO Login
(optional) Enable the synchronization of the fields that you configured in the SAML2 settings: jobtitle
, department
, costcenter
or extensionAttributes
.
In the security settings, set at the allowed domains for SSO a *
(star) and press ENTER
. By this, you allow every user to log in that is configured in your Active Directory for the login.
By default, the SAML2 SSO user are registered after the first login attempt automatically. This is good for you, since you don't need to create the user profiles manually one by one before the first login, however you can disable this setting (not recommended).
SAVE
your settings in the bottom.
STEP 2 - Configure your Identity Provider
Use the provided configuration parameters provided by Flexopus and use them to configure the integration in your Identity Provider: Entity ID
, Callback (ACS) URL
, Relay state
, Metadata URL
and the Metadata file
.
STEP 3 - Signatures
Signing the assertions sent to the Flexopus server is mandatory. Please note that an invalid signature will always result in an error. Therefore, make sure that:
- your IdP signs the assertions and not the whole message.
- your server signs the messages with a key that corresponds to the certificate in your identity provider metadata (IdP) that you upload to Flexopus.
Encryption of assertions sent to Flexopus is optional. If you want to encrypt them, please use our certificate in the metadata of our service provider.
STEP 4 - Attribute mappings
You need to configure which attributes shall be synchronized between your identity provider and Flexopus. You can configure the mappings with the parameters listed below. We generally recommend using urn:
mappings. The jobtitle
, department
, costcenter
, memberOf
and extensionAttribute[1-10]
parameters are optional. Also, you can decide to send the first_name
and last_name
combo or/and the name
attribute.
'email' => [
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
'urn:oid:0.9.2342.19200300.100.1.3',
'http://schemas.xmlsoap.org/claims/EmailAddress',
'urn:oid:1.2.840.113549.1.9.1',
],
'name' => [
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',
'urn:oid:2.16.840.1.113730.3.1.241',
'http://schemas.xmlsoap.org/claims/CommonName',
'urn:oid:2.5.4.3',
],
'first_name' => [
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
'urn:oid:2.5.4.42',
],
'last_name' => [
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
'urn:oid:2.5.4.4',
],
'upn' => [
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn',
'urn:oid:0.9.2342.19200300.100.1.1',
'http://schemas.xmlsoap.org/claims/UPN',
'upn',
],
'department' => [
'department',
'urn:oid:2.5.4.11',
],
'jobtitle' => [
'jobtitle',
'urn:oid:2.5.4.12',
],
'costcenter' => [
'costcenter',
],
'memberOf' => [
'memberOf',
],
'extensionAttribute1' => [
'extensionAttribute1',
],
'extensionAttribute2' => [
'extensionAttribute2',
],
'extensionAttribute3' => [
'extensionAttribute3',
],
'extensionAttribute4' => [
'extensionAttribute4',
],
'extensionAttribute5' => [
'extensionAttribute5',
],
'extensionAttribute6' => [
'extensionAttribute6',
],
'extensionAttribute7' => [
'extensionAttribute7',
],
'extensionAttribute8' => [
'extensionAttribute8',
],
'extensionAttribute9' => [
'extensionAttribute9',
],
'extensionAttribute10' => [
'extensionAttribute10',
],
Our server requires that the type of the NameID
is PERSISTENT
.
STEP 5 - Configure who can log in
Once you configured Flexopus and your identity provider, you need to configure who is supposed to log in Flexopus. That's the whole point of the SAML2 Single Sign On configuration. You grant access for your users to use SSO. In most of the identity providers you can allow all users, or you can give access based on user groups. Grant access for your users. Than test the connection.
Open Flexopus in a new incognito window and test the login. You should be able to log in with an existing or a new user, depending on how you configured the access right.
Once the SAML2 SSO configured successfully, you can optionally disable the E-Mail and Password login and enforce all users to user Single Sign On. Navigate to Dashboard > Settings > Authentication
. You can find two options here:
- Disable password login
You can disable all email and password login forms. - Hide login form
You can hide the login form on the main login page with it, but there is a secondary login form../dashboard/auth/login
which you can leave open to use it for a backup admin user.
Trouble Shooting / FAQ
Duplicate user was created!
This can happen, if the UPN changed over the time. Contact us for support: support@flexopus.com
One user can log in in the user profiles of others!
This can happen, if you mixed up the UPNs. of the users in your Google Workspace Directory over the time. Contact us for support: support@flexopus.com