Skip to main content

Other integrations

SAML2 for a custom provider

Which Identity Providers are supported for SAML2?

Flexopus implemented the standard SAML2 Single Sign On protocol, which suppose to work with any Identity Providers that follows the SAML2 standard. Flexopus acts as a Service Provider. Therefore, you can try to connect your Identity Provider, even if we do not provide a specific step by step description on how to configure your specific Identity Provider.

Still, we created for the most commonly used Identity Providers a step-by-step instruction manual:

Azure Active Directory SAML2 SSO
Introduction Connect Flexopus with your Entra Active Directory (formerly known as Azure Active Directory) via a SAML2 Single Sign On integration. With the integration, you can manage through your Active Directory which users should have access to Flexopus and force them to use their Microsoft AD credentials for the login.
Flexopus Help CenterDaniel Fafula
Microsoft AD FS SAML2 SSO
Introduction The Microsoft AD FS (Active Directory Federation Services) is an Identity Provider (IdP) developed by Microsoft to provide a Windows based self-hosted (on premise) version. You can connect an enterprise application over SAML2 to AD FS and manager, who can log in to view Single Sign On in the
Flexopus Help CenterDaniel Fafula
Google SAML2 SSO
Introduction Connect Flexopus with your Google Workspace Directory (formerly known as Google G-Suite) via a SAML2 Single Sign On integration. With the integration, you can manage which Google Workspace users should have access to Flexopus and force them to use their Google credentials for the login. Based on a SAML2
Flexopus Help CenterDaniel Fafula
Keycloak SAML2 SSO
Introduction Connect Flexopus with Keycloak via a SAML2 for single sign on (SSO). With the integration, you can manage through your KeyCloak Directory which users should have access to Flexopus and force them to use their KeyCloak credentials for the login. Based on a SAML2 settings in Flexopus you can
Flexopus Help CenterDaniel Fafula
Ping Identity SAML2 + SCIM
Introduction Connect Flexopus with Ping Identity via a SAML2 for single sign on (SSO). With the integration, you can manage through your Ping Identity which users should have access to Flexopus and force them to use their Ping credentials for the login. Based on a SAML2 settings in Flexopus you
Flexopus Help CenterDaniel Fafula
Okta SAML2 + SCIM
Introduction Connect Flexopus with Okta via SAML2 for Single Sign On. With the integration, you can manage which Okta user should have access to Flexopus and force them to use their Okta credentials for the login. Based on a SAML2 Setting in Flexopus you can let the user profiles be
Flexopus Help CenterDaniel Fafula
Akamai SAML SSO
Introduction Connect Flexopus with Akamai via a SAML2 for single sign on (SSO). With the integration, you can manage through Akamai which users should have access to Flexopus and force them to use their Akamai credentials for the login. Based on a SAML2 settings in Flexopus you can let the
Flexopus Help CenterDaniel Fafula

SAML2 Instruction Manual

STEP 1 - Metadata parameters

Navigate in Flexopus as an administrator to Dashbaord > Settings > Authentication. Click in the Add provider button and select the SAML2 SSO option.

Create SAML2 SSO Provider

Here you can find the Entity ID, Callback (ACS) URL, Relay state, Metadata URL and the Metadata file. These configuration parameters will be necessary to configure your Identity Provider.

Configuration parameters
💡
Note: You can configure multiple Single Sign On providers at the same time. In most of the cases there is only one Identity Provider (IdP), however in an organization with multiple companies may have multiple IdPs. For this reason, there is a prefix in the URL to differentiate between the SAML2 URLs per IdP

To finish the configuration steps within Flexopus you will need to enter the Metadata URL or upload the Metadata File of your Identity Provider. Configure it and enable the SAML2 SSO.

Upload Metadata File

Enter the name of the SAML2 Login button, which will be displayed on the login page. Recommendation: SSO Login

(optional) Enable the synchronization of the fields that you configured in the SAML2 settings: jobtitle or department

Fields and button name

In the security settings, set at the allowed domains for SSO a * (star) and press ENTER. By this, you allow every user to log in that is configured in your Active Directory for the login.

By default, the SAML2 SSO user are registered after the first login attempt automatically. This is good for you, since you don't need to create the user profiles manually one by one before the first login, however you can disable this setting (not recommended).

Security settings

SAVE your settings in the bottom.

STEP 2 - Configure your Identity Provider

Use the provided configuration parameters provided by Flexopus and use them to configure the integration in your Identity Provider: Entity ID, Callback (ACS) URL, Relay state, Metadata URL and the Metadata file.

💡
Note! We recommend using the Metadata URL instead of the Metadata file, if possible. This makes it easier to update the signatures in case they change over time.
💡
Note: (optional) Relay state: You can set this value to convert the IdP initiated login to an SP initiated login in case your IdP tries to make an IdP initiated login.

STEP 3 - Signatures

Signing the assertions sent to the Flexopus server is mandatory. Please note that an invalid signature will always result in an error. Therefore, make sure that:

  • your IdP signs the assertions and not the whole message.
  • your server signs the messages with a key that corresponds to the certificate in your identity provider metadata (IdP) that you upload to Flexopus.

Encryption of assertions sent to Flexopus is optional. If you want to encrypt them, please use our certificate in the metadata of our service provider.

STEP 4 - Attribute mappings

You need to configure which attributes shall be synchronized between your identity provider and Flexopus. You can configure the mappings with the parameters listed below. We generally recommend using urn: mappings. The ?jobtitle, department, costcenter and the memberOf parameters are optional. Also, you can decide to send the first_name and last_name combo or/and the name attribute. 

'email' => [
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
    'urn:oid:0.9.2342.19200300.100.1.3',
    'http://schemas.xmlsoap.org/claims/EmailAddress',
    'urn:oid:1.2.840.113549.1.9.1',
],
'name' => [
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',
    'urn:oid:2.16.840.1.113730.3.1.241',
    'http://schemas.xmlsoap.org/claims/CommonName',
    'urn:oid:2.5.4.3',
],
'first_name' => [
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
    'urn:oid:2.5.4.42',
],
'last_name' => [
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
    'urn:oid:2.5.4.4',
],
'upn' => [
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn',
    'urn:oid:0.9.2342.19200300.100.1.1',
    'http://schemas.xmlsoap.org/claims/UPN',
    'upn',
],
'department' => [
    'department',
    'urn:oid:2.5.4.11',
],
'jobtitle' => [
    'jobtitle',
    'urn:oid:2.5.4.12',
],
'costcenter' => [
    'costcenter',
],
'memberOf' => [
    'memberOf'
]

Our server requires that the type of the NameID is PERSISTENT.

💡
READ IT!!! Once you set the UPN, do not change it! UPN = Unique Principal Name. Unique attributes are not supposed to change. Contact us, if you need help with it. Changing that field could lead to duplicated user entries. Mixing up the UPNs between users can lead to even bigger problems!

STEP 5 - Configure who can log in

Once you configured Flexopus and your identity provider, you need to configure who is supposed to log in Flexopus. That's the whole point of the SAML2 Single Sign On configuration. You grant access for your users to use SSO. In most of the identity providers you can allow all users, or you can give access based on user groups. Grant access for your users. Than test the connection.

Open Flexopus in a new incognito window and test the login. You should be able to log in with an existing or a new user, depending on how you configured the access right.

💡
Note: It is possible that the settings are not be applied immediately. Wait about 30 minutes and test it again.

Once the SAML2 SSO configured successfully, you can optionally disable the E-Mail and Password login and enforce all users to user Single Sign On. Navigate to Dashboard > Settings > Authentication. You can find two options here:

  • Disable password login
    You can disable all email and password login forms.
  • Hide login form
    You can hide the login form on the main login page with it, but there is a secondary login form ../dashboard/auth/login which you can leave open to use it for a backup admin user.
Disable emails and password login

Trouble Shooting / FAQ

Duplicate user was created!

This can happen, if the UPN changed over the time. Contact us for support: support@flexopus.com

One user can log in in the user profiles of others!

This can happen, if you mixed up the UPNs. of the users in your Google Workspace Directory over the time. Contact us for support: support@flexopus.com