SAML Configuration
Select User Management > Authentication Services. On the Authentication Services page, select the SAML Configuration tab.
When enabled, you can incorporate users from your organization's Security Assertion Markup Language (SAML) identity provider for authentication with FME Server.
Note: Authentication with FME Server through SAML is not supported in the following FME Desktop transformers: FMEServerJobSubmitter, FMEServerNotifier, FMEServerResourceConnector, FMEServerJobWaiter, FMEServerLogFileRetriever.
Getting Started with SAML
To authenticate on FME Server with a SAML identity provider, you must configure settings in two places:
- On FME Server.
- On your SAML identity provider.
On the Authentication Services page, select the SAML Configuration tab, move the Enabled slider to the right, and provide the necessary metadata and other settings, as follows. When finished, proceed to SAML Identity Provider Settings (below).
- Upload Metadata File: If checked, allows you to upload your SAML provider metadata file in the Identity Provider Metadata File field. You can drag and drop the applicable file into the designated area. Alternatively, click inside the designated area to browse for the file.
- Identity Provider SSO URL
- Identity Provider Issuer
- Identity Provider X.509 Certificate
- New User Default Role: If Role is not specified under Attribute Field Mappings (below), or does not match an existing role, the FME Server role to assign to new users, by default.
- First Name: This attribute is concatenated with Last Name to map to the Full Name of an FME Server user account.
- Last Name: This attribute is concatenated with First Name to map to the Full Name of an FME Server user account.
- Username: The attribute to map to the user Name of an FME Server account.
- Email: The attribute to map to the Email of an FME Server user account.
- Role: One or more attributes to map to the role(s) of an FME Server user account. If specified, this field overrides any value specified for New User Default Role, above. The values of a specified Role must match existing roles in FME Server.
- Sign Requests (optional): If checked, complete the following to ensure that requests between FME Server and the identity provider are signed:
Note: This configuration may not be supported by your SAML identity provider.
- Provide a Service Provider Certificate and Service Provider Key. You can create a certificate and key with a third-party application such as OpenSSL, or ask your IT department to generate these.
Upload or reference the certificate in your SAML identity provider.
Tip: This file usually has a .xml extension.
If not checked, you must enter the following fields manually:
WARNING: If fmesuperuser is specified, all permissions are granted in FME Server to new users.
Attribute Field Mappings (optional): FME Server User Attributes are assigned to new users according to a specified mapping. Enter attribute names from your identity provider to map them to the following FME Server user attributes:
Configure the following settings on your SAML identity provider:
Note: Field names vary by provider.
- Entity ID (Audience URI): Set to <FMEServerWebURL>/fmesaml/saml2/service-provider-metadata/fmeserver
- Single Sign On URL (Application Callback URL, Assertion Consumer Service URL): Set to <FMEServerWebURL>/fmesaml/login/saml2/sso/fmeserver
Where <FMEServerWebURL> is the fully-qualified hostname for your FME Server, including both the hostname and domain (for example, https://fmeserver.domain.com).
Where <FMEServerWebURL> is the fully-qualified hostname for your FME Server, including both the hostname and domain (for example, https://fmeserver.domain.com).
Viewing SAML Logs
Log file fmesaml.log can be found in Services Logs. This log records:
- When a user account is created on initial login to FME Server through Sign in with SAML.
- Subsequent logins to FME Server through Sign in with SAML.
For more information, see About Log Files in FME Server.