Skip to main content

Other integrations

SAML2 for a custom provider

Which Identity Providers are supported for SAML2?

Flexopus implemented the standard SAML2 Single Sign On protocol, which suppose to work with any Identity Providers that follows the SAML2 standard. Flexopus acts as a Service Provider. Therefore, you can try to connect your Identity Provider, even if we do not provide a specific step by step description on how to configure your specific Identity Provider.

Still, we created for the most commonly used Identity Providers a step-by-step instruction manual:

Azure Active Directory SAML2 SSO
Introduction Connect Flexopus with your Entra Active Directory (formerly known as Azure Active Directory) via a SAML2 Single Sign On integration. With the integration, you can manage through your Active Directory which users should have access to Flexopus and force them to use their Microsoft AD credentials for the login.
Microsoft AD FS SAML2 SSO
Introduction The Microsoft AD FS (Active Directory Federation Services) is an Identity Provider (IdP) developed by Microsoft to provide a Windows based self-hosted (on premise) version. You can connect an enterprise application over SAML2 to AD FS and manager, who can log in to view Single Sign On in the
Google SAML2 SSO
Introduction Connect Flexopus with your Google Workspace Directory (formerly known as Google G-Suite) via a SAML2 Single Sign On integration. With the integration, you can manage which Google Workspace users should have access to Flexopus and force them to use their Google credentials for the login. Based on a SAML2
Keycloak SAML2 SSO
Introduction Connect Flexopus with Keycloak via a SAML2 for single sign on (SSO). With the integration, you can manage through your KeyCloak Directory which users should have access to Flexopus and force them to use their KeyCloak credentials for the login. Based on a SAML2 settings in Flexopus you can
Ping Identity SAML2 + SCIM
Introduction Connect Flexopus with Ping Identity via a SAML2 for single sign on (SSO). With the integration, you can manage through your Ping Identity which users should have access to Flexopus and force them to use their Ping credentials for the login. Based on a SAML2 settings in Flexopus you
Okta SAML2 + SCIM
Introduction Connect Flexopus with Okta via SAML2 for Single Sign On. With the integration, you can manage which Okta user should have access to Flexopus and force them to use their Okta credentials for the login. Based on a SAML2 Setting in Flexopus you can let the user profiles be
Akamai SAML SSO
Introduction Connect Flexopus with Akamai via a SAML2 for single sign on (SSO). With the integration, you can manage through Akamai which users should have access to Flexopus and force them to use their Akamai credentials for the login. Based on a SAML2 settings in Flexopus you can let the

SAML2 Instruction Manual


STEP 1 - Metadata parameters

  • Navigate in Flexopus to Dashboard > Settings > Authentication as an administrator.
  • Click on the Add provider button.
  • Select the SAML2 SSO option.
Create SAML2 SSO Provider

In this section, you'll find the following configuration parameters, which are required for setting up your Identity Provider:

  • Entity ID
  • Callback (ACS) URL
  • Relay State
  • Metadata URL
  • Metadata File

These details will assist in configuring your Identity Provider accurately with Flexopus.

Configuration parameters
💡
Note: You can set up multiple Single Sign-On providers simultaneously. While typically there's only one Identity Provider (IdP), organizations with multiple companies might need multiple IdPs. Each IdP will have a unique prefix in the URL to differentiate between the SAML2 URLs.

To complete the configuration in Flexopus, enter the Metadata URL or upload the Metadata File from your Identity Provider. Once configured, enable the SAML2 SSO.

Upload Metadata File

Enter the name for the SAML2 Login button, which will display on the login page. Recommendation: Use "SSO Login."
(Optional) Enable synchronization for any additional fields configured in the SAML2 settings, such as jobtitle, department, costcenter, or extensionAttributes.

Fields and button name.

In the security settings, set the allowed domains for SSO to * (star) and press ENTER. This setting allows any user configured in your Active Directory to log in.

By default, SAML2 SSO users are automatically registered after their first login attempt. This eliminates the need for manual profile creation beforehand. You can disable this setting if necessary, though it is generally not recommended.

Security settings

Save your settings in the bottom.


STEP 2 - Configure your Identity Provider

Use the configuration parameters provided by Flexopus to set up the integration in your Identity Provider. The required parameters include:

  • Entity ID
  • Callback (ACS) URL
  • Relay State
  • Metadata URL
  • Metadata File

Ensure these details are entered correctly to complete the integration.

💡
Note! We recommend using the Metadata URL instead of the Metadata file, if possible. This makes it easier to update the signatures in case they change over time.
💡
Note: (optional) Relay state: You can set this value to convert the IdP initiated login to an SP initiated login in case your IdP tries to make an IdP initiated login.

STEP 3 - Signatures

Signing the assertions sent to the Flexopus server is mandatory. Please note that an invalid signature will always result in an error. Therefore, make sure that:

  • your IdP signs the assertions and not the whole message.
  • your server signs the messages with a key that corresponds to the certificate in your identity provider metadata (IdP) that you upload to Flexopus.

Encryption of assertions sent to Flexopus is optional. If you want to encrypt them, please use our certificate in the metadata of our service provider.

STEP 4 - Attribute mappings

Configure which attributes should be synchronized between your Identity Provider and Flexopus. Use the parameters below for mapping, with a recommendation to use urn: mappings:

  • first_name and last_name or combined name attribute
  • jobtitle (optional)
  • department (optional)
  • costcenter (optional)
  • memberOf (optional)
  • extensionAttribute[1-10] (optional)

This setup allows flexibility to decide on attribute specifics based on your organizational needs.

'email' => [
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
    'urn:oid:0.9.2342.19200300.100.1.3',
    'http://schemas.xmlsoap.org/claims/EmailAddress',
    'urn:oid:1.2.840.113549.1.9.1',
],
'name' => [
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',
    'urn:oid:2.16.840.1.113730.3.1.241',
    'http://schemas.xmlsoap.org/claims/CommonName',
    'urn:oid:2.5.4.3',
],
'first_name' => [
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
    'urn:oid:2.5.4.42',
],
'last_name' => [
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
    'urn:oid:2.5.4.4',
],
'upn' => [
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn',
    'urn:oid:0.9.2342.19200300.100.1.1',
    'http://schemas.xmlsoap.org/claims/UPN',
    'upn',
],
'department' => [
    'department',
    'urn:oid:2.5.4.11',
],
'jobtitle' => [
    'jobtitle',
    'urn:oid:2.5.4.12',
],
'costcenter' => [
    'costcenter',
],
'memberOf' => [
    'memberOf',
],
'extensionAttribute1' => [
    'extensionAttribute1',
],
'extensionAttribute2' => [
    'extensionAttribute2',
],
'extensionAttribute3' => [
    'extensionAttribute3',
],
'extensionAttribute4' => [
    'extensionAttribute4',
],
'extensionAttribute5' => [
    'extensionAttribute5',
],
'extensionAttribute6' => [
    'extensionAttribute6',
],
'extensionAttribute7' => [
    'extensionAttribute7',
],
'extensionAttribute8' => [
    'extensionAttribute8',
],
'extensionAttribute9' => [
    'extensionAttribute9',
],
'extensionAttribute10' => [
    'extensionAttribute10',
],

Our server requires that the type of the NameID is PERSISTENT.

💡
READ IT!!! Once you set the UPN, do not change it! UPN = User Principal Name. According to the specifications, this is a unique and immutable attribute and therefore it is not supposed to change. Contact us, if you need help with it. Changing that field could lead to duplicated user entries. Mixing up the UPNs between users can lead to even bigger problems!

STEP 5 - Configure who can log in

Once you configured Flexopus and your identity provider, you need to configure who is supposed to log in Flexopus. That's the whole point of the SAML2 Single Sign On configuration. You grant access for your users to use SSO. In most of the identity providers you can allow all users, or you can give access based on user groups. Grant access for your users. Than test the connection.

Open Flexopus in a new incognito window and test the login. You should be able to log in with an existing or a new user, depending on how you configured the access right.

💡
Note: It is possible that the settings are not be applied immediately. Wait about 30 minutes and test it again.

To enforce Single Sign-On (SSO) and disable email/password logins, navigate to Dashboard > Settings > Authentication. Here, you’ll find two options:

  1. Disable password login – This option disables all email and password login forms.
  2. Hide login form – This hides the main login form on the primary login page, while a secondary login form (../dashboard/auth/login) remains available as a backup for admin access.
Disable emails and password login

Trouble Shooting / FAQ

Duplicate user was created!

This can happen, if the UPN changed over the time. Contact us for support: support@flexopus.com

One user can log in in the user profiles of others!

This can happen, if you mixed up the UPNs. of the users in your Google Workspace Directory over the time. Contact us for support: support@flexopus.com