SAML Configuration
Select User Management > Authentication Services. On the Authentication Services page, select the SAML Configuration tab.
When enabled, you can incorporate users from your organization's Security Assertion Markup Language (SAML) identity provider for authentication with FME Flow.
Getting Started with SAML
To authenticate on FME Flow with a SAML identity provider, you must configure settings in two places:
- On FME Flow.
- On your SAML identity provider.
On the Authentication Services page, select the SAML Configuration tab, move the Enabled slider to the right, and provide the necessary metadata and other settings, as follows. When finished, proceed to SAML Identity Provider Settings (below).
- Upload Metadata File: If checked, allows you to upload your SAML provider metadata file in the Identity Provider Metadata File field. You can drag and drop the applicable file into the designated area. Alternatively, click inside the designated area to browse for the file.
- Identity Provider SSO URL
- Identity Provider Issuer
- Identity Provider X.509 Certificate
- New User Default Role: If Role is not specified under Attribute Field Mappings (below), or does not match an existing role, the FME Flow role to assign to new users, by default.
- First Name: This attribute is concatenated with Last Name to map to the Full Name of an FME Flow user account.
- Last Name: This attribute is concatenated with First Name to map to the Full Name of an FME Flow user account.
- Username: The attribute to map to the user Name of an FME Flow account.
- Email: The attribute to map to the Email of an FME Flow user account.
- Role: One or more attributes to map to the role(s) of an FME Flow user account. If specified, this field overrides any value specified for New User Default Role, above. The values of a specified Role must match existing roles in FME Flow.
- Sign Requests (optional): If checked, complete the following to ensure that requests between FME Flow and the identity provider are signed:Note This configuration may not be supported by your SAML identity provider.
- Provide a Service Provider Certificate and Service Provider Key. You can create a certificate and key with a third-party application such as OpenSSL, or ask your IT department to generate these.
Upload or reference the certificate in your SAML identity provider.
If not checked, you must enter the following fields manually:
Attribute Field Mappings (optional): FME Flow User Attributes are assigned to new users according to a specified mapping. Enter attribute names from your identity provider to map them to the following FME Flow user attributes:
Configure the following settings on your SAML identity provider:
- Entity ID (Audience URI): Set to <FMEServerWebURL>/fmesaml/saml2/service-provider-metadata/fmeserver
- Single Sign On URL (Application Callback URL, Assertion Consumer Service URL): Set to <FMEServerWebURL>/fmesaml/login/saml2/sso/fmeserver
Where <FMEServerWebURL> is the fully-qualified hostname for your FME Flow, including both the hostname and domain (for example, https://fmeserver.domain.com).
Where <FMEServerWebURL> is the fully-qualified hostname for your FME Flow, including both the hostname and domain (for example, https://fmeserver.domain.com/fmesaml/login/saml2/sso/fmeserver).
Viewing SAML Logs
Log files fmesaml.log and restV4.log can be found in Services Logs.
fmesaml.log records:
- When a user account is created on initial login to FME Flow through Sign in with SAML.
- Subsequent logins to FME Flow through Sign in with SAML.
restV4.log records any problems encountered during SAML configuration.
For more information, see About Log Files in FME Flow.