SAML Configuration

On the Authentication Services page, select the SAML Configuration tab, move the Enabled slider to the right, and provide the necessary metadata and other settings, as follows. When finished, proceed to SAML Identity Provider Settings (below).

• Upload Metadata File: If checked, allows you to upload your SAML provider metadata file in the Identity Provider Metadata File field. You can drag and drop the applicable file into the designated area. Alternatively, click inside the designated area to browse for the file.
Tip  This file usually has a .xml extension.

If not checked, you must enter the following fields manually:

• Identity Provider SSO URL
• Identity Provider Issuer
• Identity Provider X.509 Certificate
• New User Default Role: If Role is not specified under Attribute Field Mappings (below), or does not match an existing role, the FME Flow role to assign to new users, by default.
Warning  If fmesuperuser is specified, all permissions are granted in FME Flow to new users.

 Attribute Field Mappings (optional): FME Flow User Attributes are assigned to new users according to a specified mapping. Enter attribute names from your identity provider to map them to the following FME Flow user attributes: 

• First Name: This attribute is concatenated with Last Name to map to the Full Name of an FME Flow user account.
• Last Name: This attribute is concatenated with First Name to map to the Full Name of an FME Flow user account.
• Username: The attribute to map to the user Name of an FME Flow account.
• Email: The attribute to map to the Email of an FME Flow user account.
• Role: One or more attributes to map to the role(s) of an FME Flow user account. If specified, this field overrides any value specified for New User Default Role, above. The values of a specified Role must match existing roles in FME Flow.
• Sign Requests (optional): If checked, complete the following to ensure that requests between FME Flow and the identity provider are signed:
  Note   This configuration may not be supported by your SAML identity provider.
  1. Provide a Service Provider Certificate and Service Provider Key. You can create a certificate and key with a third-party application such as OpenSSL, or ask your IT department to generate these.

  2. Upload or reference the certificate in your SAML identity provider.

Configure the following settings on your SAML identity provider:

• Entity ID (Audience URI): Set to <FMEServerWebURL>/fmesaml/saml2/service-provider-metadata/fmeserver

Where <FMEServerWebURL> is the fully-qualified hostname for your FME Flow, including both the hostname and domain (for example, https://fmeserver.domain.com).

• Single Sign On URL (Application Callback URL, Assertion Consumer Service URL): Set to <FMEServerWebURL>/fmesaml/login/saml2/sso/fmeserver

Where <FMEServerWebURL> is the fully-qualified hostname for your FME Flow, including both the hostname and domain (for example, https://fmeserver.domain.com).