Configuring SAML in WebUI (Cloud)

Prerequisites:

You have the following information which you acquired from your IdP (On-premise):

• Metadata.xml file or metadata URL
• IdP X.509 public key certificate
• Entity ID and SSO URL

Step 1 - Backup your web.config file

Located in %installdirectory%\FlexNet Manager Platform\WebUI\web.config

Step 2 - Disabling Windows Authentication and enabling Forms and Anonymous Authentication

• Go to IIS Manager in your FlexNet Manager Suite server.
• Go to Default Web Site > Suite > Authentication
• Disable Windows Authentication
• Enable Forms Authentication and Anonymous Authentication
• Repeat the above steps for SAPOptimization and ECMBusinessPortal sub-applications within the Default Web Site.

Step 3 - Copying the metadata file and IdP public key (signing certificate)

If you prefer to use metadata URL and the IdP X.509 public certificate file is already included in your metadata, ignore this step.

• Create "App_Data" directory in %installdirectory%\FlexNet Manager Platform\WebUI\App_Data
• Copy metadata.xml file to the App_Data directory (unless you prefer to use metadata URL).
• Copy IdP X.509 public certificate file to the App_Data directory (unless the public certificate is already included in the metadata).

Step 4 - Changing authentication type to SAML in the web.config

In your web.config file, locate the following within <flexera.web> element and change authenticationType from "Windows" to "Saml".

<signOn authenticationType="Windows" authenticationLogin="" createUnknownOperator="true" ... ></signOn>

Step 5 - Configuring Kentor.AuthServices section in the web.config

In your web.config file, locate the <Kentor.AuthServices> element and replace it with:

<kentor.authServices entityId="https://flexnet.myorganization.com/Suite" returnUrl="https://flexnet.myorganization.com/Suite/AuthServices" authenticateRequestSigningBehavior="Never">
    <identityProviders>
        <add entityId="REPLACE_WITH_ENTITY_ID" signOnUrl="REPLACE_WITH_SSO_URL" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" loadMetadata="true" metadataLocation="~/App_Data/metadata.xml">
            <signingCertificate fileName="~/App_Data/okta.cert" />
        </add>
    </identityProviders>
    <serviceCertificates></serviceCertificates>
</kentor.authServices>

In the identityProviders section, fill in the following values:

• Replace entityId and signOnUrl with the values you received from your IdP.
• If you prefer to use metadata URL, replace metadata location with the metadata URL (e.g. https://myidp.com/fnmssamlapp/metadata). If specified via file, ensure the path to metadata.xml file is correct.
• If IdP X.509 public certificate is already included in your metadata, completely remove the signingCertificate element. If specified via file, ensure the path to the public certificate file is correct.

If everything is configured correctly, both SP-initiated and IdP-initiated Single Sign On (SSO) should work as expected. If not, see the troubleshooting guide and list of common errors.

Note: SSO for multi-tenant on-prem FlexNet Manager Suite is not supported. You can vote for this idea in Flexera Ideas if it's useful to you: SAML 2.0 support and dedicated documentation for MSP (multi-tenant) installations needed.

Configuring SAML in WebUI (Partner)

# If you prefer to use metadata file:
.\ConfigureSystem.exe apply-saml-configuration --metadata-file=<PATH> --state=<SamlPilotAgw> --tenantuid=xxx

# If you prefer to use metadata URL:
.\ConfigureSystem.exe apply-saml-configuration --metadata-url=<URL> --state=<SamlPilotAgw> --tenantuid=xxx

# Optional: if needed, see helptext and other supported operations
.\ConfigureSystem.exe help apply-saml-configuration
.\ConfigureSystem.exe help clear-saml-configuration
.\ConfigureSystem.exe help export-saml-configuration

Configuring SP default timeout in FlexNet Manager Suite

Supported: FlexNet Manager Suite On-premise 2020 R1+

This is to configure the default timeout to determine how long FlexNet Manager Suite should keep local session before attempting to re-authenticate with the IdP.

As per specification, SAML supports IdP-provided value for the SP timeout by specifying  <sessionNotOnOrAfter> attribute within the SAML response sent from the IdP to SP. However, that is an optional specification, and not all IdPs may support sending this value.

As an alternative, you can configure the default timeout value in FlexNet Manager Suite by:

Cloud

• Specify the default timeout value in Web UI > System Settings > Security page.

On-premise

• The timeout is not currently configurable for an on-premise installation and has a default timeout of 60 minutes.

Automatically creating unknown operators

This setting is defaulted to true. To simplify creation of new operators in FlexNet Manager Suite, you can specify the following settings in your web.config file, located within %installdirectory%\FlexNet Manager Platform\WebUI directory.

When the setting is set to true, a new operator will automatically be created in FlexNet Manager Suite upon first successful SSO. However on its own, this setting will not automatically grant any role to the operator. As such, the operator will see a "No role" page and will require FlexNet Manager Suite administrator to grant an explicit role to that operator.

To change this behavior, specify either "true" or "false" in the "createUnknownOperator" value below.

<signOn authenticationType="Saml" authenticationLogin="" createUnknownOperator="true" ... ></signOn>

Using custom attribute in place of Name ID attribute

This is typically not required for standard setup. It is recommended to leave "authenticationLogin" value empty.

The Name ID attribute (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier) is typically sent by your IdP and used by FlexNet Manager Suite to uniquely identify an operator login identity. This value can be john.doe@flexera.com, for example.

However if you have a special use case where you want a different attribute (not Name ID attribute) to be used as the operator identifier, you will need to specify the custom attribute name/type in the "authenticationLogin" value below. 

<signOn authenticationType="Saml" authenticationLogin="OperatorLogin" createUnknownOperator="true" ... ></signOn>

In the example above, FlexNet Manager Suite will expect the "OperatorLogin" attribute to exist in the SAML response sent by the IdP, and will use this value to uniquely identify an operator login identity.

Configuring outgoing requests from SP to the IdP to be signed

This is typically not required for standard setup.

Certain SAML operations such as Single Logout (SLO) requires outgoing requests from SP to the IdP to be signed. For example when triggering an SP-initiated SLO, the IdP needs to trust that the saml2p:LogoutRequest payload indeed comes from FlexNet Manager Suite, before logging out the user from the IdP and all other non-Flexera applications which support SLO.

To sign outgoing SAML requests, you first need to acquire a public/private key pair to be used for signing purpose. Talk to your IT/Security expert who can help you with this. It is your responsibility to keep the said private key secure.

Once you have the private key file, import it into the certificate store in your FlexNet Manager Suite server. And then go to your web.config file, locate the <kentor.authServices> element, and set the authenticateRequestSigningBehavior from "Never" to "Always", which indicates we want outgoing requests from SP to the IdP to be signed.

You will then need to supply the path to the private key in Windows certificate store within the <serviceCertificates> element, i.e.

<kentor.authServices entityId="https://flexnet.myorganization.com/Suite" returnUrl="https://flexnet.myorganization.com/Suite/AuthServices" authenticateRequestSigningBehavior="Always">
    <identityProviders>
        <add entityId="REPLACE_WITH_ENTITY_ID" signOnUrl="REPLACE_WITH_SSO_URL" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" loadMetadata="true" metadataLocation="~/App_Data/metadata.xml">
            <signingCertificate fileName="~/App_Data/okta.cert" />
        </add>
    </identityProviders>
    <serviceCertificates>
        <add storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" findValue="sso.flexnet.myorganization.com" use="Signing" />
    </serviceCertificates>
</kentor.authServices>

In the above example, the key to be used for signing will be located from Certificate Store (Local Machine) > Personal > Certificates > a certificate matching subject name: "sso.flexnet.myorganization.com". Note that the criteria here has to match exactly one certificate.

Alternatively, you can configure these attributes differently to locate the signing certificate; refer to the external documentation below:

• storeName: https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.storename?view=netframework-4.5
• storeLocation: https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.storelocation?view=netframework-4.5
• x509FindType: https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509findtype?view=netframework-4.5
• findValue: specify the certificate subject, thumbprint, etc., depending on the x509FindType you decide to use.