How SAML protocol works?

The SAML protocol allows you to log in to the FAMOC manage administrator console via external services (Identity Provider).

The user can login to IdP and choose FAMOC manage among the applications and will be automatically logged into FAMOC manage with IdP credentials. If the user does not have an account in FAMOC manage, such an account can be created automatically (provided that Automatically create users is selected in the FAMOC manage settings). After logging out of FAMOC manage, the user can log in again using the Log in using SAML button, which will direct you to the login page in IdP. One of such IdP is Microsoft Azure.

Adding new application in Azure portal

To integrate FAMOC manage with Azure SAML, you will need to create a FAMOC application in Azure and then configure data from Azure.

  1. Login to the Microsoft Azure portal through the URL https://portal.azure.com.

  2. Select Azure Active Directory. Then select the Enterprise Applications option from the panel on the left. 


  1. To add an application, click New application, and then Non-gallery application.

  1. Select Create your own application, enter the name of the application (any name, eg FAMOC manage) and click create

  1. Go to Set up Single Sign-On -> SAML

  1. Complete the following fields:

Identifier (Entity ID) - it can be your FAMOC manage server URL or any other value, e.g. famoc.yourorganization.com (the same value will need to be provided as EntityId parameter in FAMOC manage SAML settings); Note, mark this value as Default.

Reply URL (Assertion Consumer Service URL): https://serveradress.com/ui/ (necessarily with / ui / at the end).

Save changes and close this section.

  1. In the User Attributes & Claims section, leave only the Unique User Identifier - the rest of these identifiers can be removed. This one must remain, in addition, in editing this identifier, you must set Windows domain ... in “Choose name identifier format”.

Save changes and close this section.

  1. Next, in the SAML Signing Certificate section, download Certificate (Base64). It will serve as cert X509 in FAMOC manage SAML settings.

It should also be remembered that users and / or groups of users who will be able to log in using this method must be assigned to the application. To do this, go to the Users and groups section and then click Add user/group. 

SAML configuration in FAMOC

To configure SAML Azure AD in FAMOC navigate to organization settings:

  1. Then, find the SAML settings section and click Enable SAML Authentication.

  1. Open previously downloaded Certificate (Base64) in any text editor (e.g. NotePad), copy the whole content, paste it in X.509 Certificate field and save by clicking the tick button. 

  2. Enter the same Entity ID you entered in Azure portal.

  3. Login URL is https://account.activedirectory.windowsazure.com (note: not the one from the application settings). From this page you can also log in to FAMOC.

Properly edited data looks like this:

The other fields are optional. They are used to map attributes from Azure AD to FAMOC manage. Attribute mapping allows you to automatically create a user in FAMOC with the same data as in Azure AD. Thanks to this, the user can automatically have assigned values such as an email address or domain, which will allow for easier configuration, for example, an email account.

You can also check the option to automatically create users in FAMOC and assign the default role to these users


Known issues

In some cases, when you try to log in to FAMOC manage using Azure AD, you may receive an error 400. This can happen if you are already logged in to the same browser. To prevent this from happening, please log out and clear your browser cookies.

Summary

From now on, when logging in from the same computer and the same browser, it will be remembered that you have logged in with Azure AD and it will be suggested after entering the FAMOC manage login page.