FME Flow: 2025.0
SAML Configuration
Select User Management > Authentication Services. On the Authentication Services page, select the SAML Configuration tab.
When enabled, you can incorporate users from your organization's Security Assertion Markup Language (SAML) identity provider for authentication with FME Flow.
Note Authentication with FME Flow through SAML is not supported in the following FME Form transformers: FMEFlowJobSubmitter, FMEFlowNotifier, FMEFlowResourceConnector, FMEFlowJobWaiter, FMEFlowLogFileRetriever.
How It Works
With SAML configuration, SAML identity provider users who log in to FME Flow are redirected to the identity provider for authentication. Once authenticated, the identity provider sends a SAML assertion back to FME Flow.
The SAML assertion includes identity provider attributes that map to corresponding User attributes in FME Flow, such as User name and Email. If these attributes are not specified explicitly in the configuration, default values are assigned. For example, if the identity provider is Azure Active Directory, User name maps to the Azure AD name.
The FME Flow Role to which a user is assigned can also be mapped to a corresponding attribute on the identity provider. If a mapping is not defined or cannot be determined, a default role is assigned as specified explicitly in the configuration. The values of the mapped role on the identity provider must match existing roles in FME Flow.
When an identity provider user first logs in to FME Flow after SAML configuration is complete, FME Flow parses the attributes from the assertion to create a new user account. This just-in-time account creation ensures that only users who need access to FME Flow have accounts. Importing users and groups manually from a SAML identity provider is currently not supported.
Troubleshooting Login Failures with SAML Identity Provider Credentials
- Ensure that Automatic/JIT Provisioning is enabled on the identity provider. Check with your IT team for assistance.
- FME Flow Troubleshooting: SAML
Getting Started
To authenticate on FME Flow with a SAML identity provider, you must configure settings in two places:
- On your SAML identity provider.
- On FME Flow.
Note If your FME Flow architecture includes a reverse proxy or load balancer, additional configuration is required:
- Append the fully-qualified hostname of your reverse proxy to the fmeserver.saml.custom.baseurl= line in the SAML application.properties file. If your FME Flow uses an Apache Tomcat web application server provided with the installation, this file is located in <FMEFlowDir>\Utilities\tomcat\webapps\fmesaml\WEB-INF\classes\. When complete, Restart FME Flow.
SAML Identity Provider Settings
Configure the following settings on your SAML identity provider. When finished, proceed to FME Flow Settings (below).
Note Names of settings vary by provider. For more information about configuring settings on specific providers, see this FME Community article.
- Just-in-Time Provisioning (Auto-Membership): Ensure this setting is enabled.
- Entity ID (Audience URI): Set to <FMEFlowWebURL>/fmesaml/saml2/service-provider-metadata/fmeserver
- Single Sign On URL (Application Callback URL, Assertion Consumer Service URL): Set to <FMEFlowWebURL>/fmesaml/login/saml2/sso/fmeserver
Where <FMEFlowWebURL> is the fully-qualified hostname for your FME Flow, including both the hostname and domain (for example, https://fmeflow.domain.com).
Where <FMEFlowWebURL> is the fully-qualified hostname for your FME Flow, including both the hostname and domain (for example, https://fmeflow.domain.com).
FME Flow Settings
On the Authentication Services page, select the SAML Configuration tab, move the Enabled slider to the right, and provide the necessary metadata and other settings, as follows.
- Upload Metadata File: If checked, allows you to upload your SAML provider metadata file in the Identity Provider Metadata File field. You can drag and drop the applicable file into the designated area. Alternatively, click inside the designated area to browse for the file.
- Identity Provider SSO URL
- Identity Provider Issuer
- Identity Provider X.509 Certificate
- New User Default Role: If Role is not specified under Attribute Field Mappings (below) or cannot be determined, the FME Flow role to assign to new users. This role must already exist in FME Flow.
- First Name: This attribute is concatenated with Last Name to map to the Full Name of an FME Flow user account.
- Last Name: This attribute is concatenated with First Name to map to the Full Name of an FME Flow user account.
- Username: The attribute to map to the user Name of an FME Flow account.
- Email: The attribute to map to the Email of an FME Flow user account.
- Role: The attribute to map to the role of an FME Flow user account. If your identify provider is configured with "unique" or "custom" attributes that are referenced in the distinguished name (DN) of a valid LDAP string, you must specify these attributes. This field overrides any value specified for New User Default Role, above. The values of the specified Role on the identity provider must match existing roles in FME Flow.
- Sign Requests (optional): If checked, complete the following to ensure that requests between FME Flow and the identity provider are signed:Note This configuration may not be supported by your SAML identity provider.
- Provide a Service Provider Certificate and Service Provider Key. You can create a certificate and key with a third-party application such as OpenSSL, or ask your IT department to generate these. The certificate format must be DER-encoded or PEM-encoded X.509. The key format must be PEM PKCS#8-encoded.
Upload or reference the certificate in your SAML identity provider.
Tip This file usually has a .xml extension.
If not checked, you must enter the following fields manually:
Warning If fmesuperuser is specified, all permissions are granted in FME Flow to new users.
Attribute Field Mappings (optional): FME Flow user attributes are assigned to new users according to a specified mapping. If not specified, a default mapping is configured. For example, if the identity provider is Azure Active Directory, Username maps to the Azure AD name.
Enter attribute names from your identity provider to map them to the following FME Flow user attributes:
Tip For information and examples about configuring attributes on your SAML identity provider and mapping to FME Flow:
Advanced Settings (optional): The following settings require editing the application.properties text file. If your FME Flow uses an Apache Tomcat web application server provided with the installation, this file is located in <FMEFlowDir>\Utilities\tomcat\webapps\fmesaml\WEB-INF\classes\. When complete, Restart the FMEFlowAppServer system service.
- fmeserver.saml.authentication.force: If true (default), forces user credential prompting when SAML login is initiated. If false, depending on the browser-cached state of SAML login, allows the user log in automatically.
- fmeserver.saml.clockskew.enable: If false (default), allows login in case of failed datetime assertion. SAML assertion can fail when the identity provider and service provider have system clocks that are not synchronized. If true, FME Flow SAML configuration honors the fmeserver.saml.clockskew.minutes setting (below).
- fmeserver.saml.clockskew.minutes: If fmeserver.saml.clockskew.enable=true, specifies the allowable clockskew in minutes.
Viewing SAML Logs
Log files fmesaml.log and restV4.log can be found in Services Logs.
fmesaml.log records:
- When a user account is created on initial login to FME Flow through Sign in with SAML.
- Subsequent logins to FME Flow through Sign in with SAML.
restV4.log records any problems encountered during SAML configuration.
For more information, see About Log Files in FME Flow.