SAML Configuration

Select User Management > Authentication Services. On the Authentication Services page, select the SAML Configuration tab.

When enabled, you can incorporate users from your organization's Security Assertion Markup Language (SAML) identity provider for authentication with FME Flow.

Note  Authentication with FME Flow through SAML is not supported in the following FME Form transformers: FMEFlowJobSubmitter, FMEFlowNotifier, FMEFlowResourceConnector, FMEFlowJobWaiter, FMEFlowLogFileRetriever.

Getting Started with SAML

To authenticate on FME Flow with a SAML identity provider, you must configure settings in two places:

  • On FME Flow.
  • On your SAML identity provider.
Note  If your FME Flow architecture includes a reverse proxy or load balancer, additional configuration is required:
Append the fully-qualified hostname of your reverse proxy to the fmeserver.saml.custom.baseurl= line in the SAML application.properties file. If your FME Flow uses an Apache Tomcat web application server provided with the installation, this file is located in <FMEFlowDir>\Utilities\tomcat\webapps\fmesaml\WEB-INF\classes\. When complete, Restart FME Flow.

On the Authentication Services page, select the SAML Configuration tab, move the Enabled slider to the right, and provide the necessary metadata and other settings, as follows. When finished, proceed to SAML Identity Provider Settings (below).

  • Upload Metadata File: If checked, allows you to upload your SAML provider metadata file in the Identity Provider Metadata File field. You can drag and drop the applicable file into the designated area. Alternatively, click inside the designated area to browse for the file.
    • Tip  This file usually has a .xml extension.

    If not checked, you must enter the following fields manually:

    • Identity Provider SSO URL
    • Identity Provider Issuer
    • Identity Provider X.509 Certificate
  • New User Default Role: If Role is not specified under Attribute Field Mappings (below), or does not match an existing role, the FME Flow role to assign to new users, by default.
    • Warning  If fmesuperuser is specified, all permissions are granted in FME Flow to new users.

     Attribute Field Mappings (optional): FME Flow User Attributes are assigned to new users according to a specified mapping. Enter attribute names from your identity provider to map them to the following FME Flow user attributes: 

    • First Name: This attribute is concatenated with Last Name to map to the Full Name of an FME Flow user account.
    • Last Name: This attribute is concatenated with First Name to map to the Full Name of an FME Flow user account.
    • Username: The attribute to map to the user Name of an FME Flow account.
    • Email: The attribute to map to the Email of an FME Flow user account.
    • Role: One or more attributes to map to the role(s) of an FME Flow user account. If your identify provider is configured with "unique" or "custom" attributes that are referenced in the distinguished name (DN) of a valid LDAP string, you must specify these attributes. This field overrides any value specified for New User Default Role, above. The values of a specified Role must match existing roles in FME Flow.
  • Sign Requests (optional): If checked, complete the following to ensure that requests between FME Flow and the identity provider are signed:
    Note   This configuration may not be supported by your SAML identity provider.
    1. Provide a Service Provider Certificate and Service Provider Key. You can create a certificate and key with a third-party application such as OpenSSL, or ask your IT department to generate these.

    2. Upload or reference the certificate in your SAML identity provider.

Advanced Settings (optional): The following settings require editing the application.properties text file. If your FME Flow uses an Apache Tomcat web application server provided with the installation, this file is located in <FMEFlowDir>\Utilities\tomcat\webapps\fmesaml\WEB-INF\classes\. When complete, Restart the FMEFlowAppServer system service.

  • fmeserver.saml.authentication.force: If true (default), forces user credential prompting when SAML login is initiated. If false, depending on the browser-cached state of SAML login, allows the user log in automatically.
  • fmeserver.saml.clockskew.enable: If false (default), allows login in case of failed datetime assertion. SAML assertion can fail when the identity provider and service provider have system clocks that are not synchronized. If true, FME Flow SAML configuration honors the fmeserver.saml.clockskew.minutes setting (below).
  • fmeserver.saml.clockskew.minutes: If fmeserver.saml.clockskew.enable=true, specifies the allowable clockskew in minutes.

Configure the following settings on your SAML identity provider:

Note  Names of settings vary by provider. For more information about configuring settings on specific providers, see this FME Community article.
  • Just-in-Time Provisioning (Auto-Membership): Ensure this setting is enabled.
  • Entity ID (Audience URI): Set to <FMEFlowWebURL>/fmesaml/saml2/service-provider-metadata/fmeserver

    • Where <FMEFlowWebURL> is the fully-qualified hostname for your FME Flow, including both the hostname and domain (for example, https://fmeflow.domain.com).

  • Single Sign On URL (Application Callback URL, Assertion Consumer Service URL): Set to <FMEFlowWebURL>/fmesaml/login/saml2/sso/fmeserver

    • Where <FMEFlowWebURL> is the fully-qualified hostname for your FME Flow, including both the hostname and domain (for example, https://fmeflow.domain.com).

Viewing SAML Logs

Log files fmesaml.log and restV4.log can be found in Services Logs.

fmesaml.log records:

  • When a user account is created on initial login to FME Flow through Sign in with SAML.
  • Subsequent logins to FME Flow through Sign in with SAML.

restV4.log records any problems encountered during SAML configuration.

For more information, see About Log Files in FME Flow.