[FNMS SAML Setup] WebUI configuration guide to enable SSO / SAML in FlexNet Manager Suite

[FNMS SAML Setup] WebUI configuration guide to enable SSO / SAML in FlexNet Manager Suite

This article is a part of a wider topic, see parent page.

Configuring SAML in WebUI (Cloud)

Prerequisites:

You have the following information which you acquired from your IdP:
  • Metadata.xml file or metadata URL
  • IdP X.509 public key certificate (optional) must be included as part of the metadata (not separate file)

To configure SAML in FlexNet Manager Suite Cloud, simply upload your metadata file or URL via Web UI > System Settings > Security page.


THAT'S IT ABOUT CONFIGURING SSO/SAML FOR CLOUD.


 

Configuring SAML in WebUI (On-premise)

Prerequisites:

You have the following information which you acquired from your IdP (On-premise):

  • Metadata.xml file or metadata URL
  • IdP X.509 public key certificate
  • Entity ID and SSO URL

Step 1 - Backup your web.config file

Located in %installdirectory%\FlexNet Manager Platform\WebUI\web.config

Step 2 - Disabling Windows Authentication and enabling Forms and Anonymous Authentication

  • Go to IIS Manager in your FlexNet Manager Suite server.
  • Go to Default Web Site > Suite > Authentication
  • Disable Windows Authentication
  • Enable Forms Authentication and Anonymous Authentication
  • Repeat the above steps for SAPOptimization and ECMBusinessPortal sub applications within the Default Web Site.

Step 3 - Copying the metadata file and IdP public key (signing certificate)

If you prefer to use metadata URL and the IdP X.509 public certificate file is already included in your metadata, ignore this step.

  • Create "App_Data" directory in %installdirectory%\FlexNet Manager Platform\WebUI\App_Data
  • Copy metadata.xml file to the App_Data directory (unless you prefer to use metadata URL).
  • Copy IdP X.509 public certificate file to the App_Data directory (unless the public certificate is already included in the metadata).

Step 4 - Changing authentication type to SAML in the web.config

In your web.config file, locate the following within <flexera.web> element and change authenticationType from "Windows" to "Saml".

<signOn authenticationType="Windows" authenticationLogin="" createUnknownOperator="true" ... ></signOn>

Step 5 - Configuring Kentor.AuthServices section in the web.config

In your web.config file, locate the <Kentor.AuthServices> element and replace it with:

<kentor.authServices entityId="https://flexnet.myorganization.com/Suite" returnUrl="https://flexnet.myorganization.com/Suite/AuthServices" authenticateRequestSigningBehavior="Never">
    <identityProviders>
        <add entityId="REPLACE_WITH_ENTITY_ID" signOnUrl="REPLACE_WITH_SSO_URL" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" loadMetadata="true" metadataLocation="~/App_Data/metadata.xml">
            <signingCertificate fileName="~/App_Data/okta.cert" />
        </add>
    </identityProviders>
    <serviceCertificates></serviceCertificates>
</kentor.authServices>

In the identityProviders section, fill in the following values:

  • Replace entityId and signOnUrl with the values you received from your IdP.
  • If you prefer to use metadata URL, replace metadata location with the metadata URL (e.g. https://myidp.com/fnmssamlapp/metadata). If specified via file, ensure the path to metadata.xml file is correct.
  • If IdP X.509 public certificate is already included in your metadata, completely remove the signingCertificate element. If specified via file, ensure the path to the public certificate file is correct.

THAT'S IT ABOUT CONFIGURING SSO/SAML FOR ON-PREMISE.


 

Configuring SAML in WebUI (Partner)

Prerequisites:

You have the following information which you acquired from your IdP:
  • Metadata.xml file or metadata URL
  • IdP X.509 public key certificate (optional) must be included as part of the metadata (not separate file)

To configure SAML in FlexNet Manager Suite Partner/Multi-Tenant system, you can either:

  • Log on to the tenant you want to configure SAML for, and upload your metadata file or URL via Web UI > System Settings > Security page; while being logged on to the desired tenant.
  • Alternatively in FlexNet Manager Suite server,  navigate to %installdirectory%\DotNet\bin and execute either one of the commands below.
# If you prefer to use metadata file:
.\ConfigureSystem.exe apply-saml-configuration --metadata-file=<PATH> --state=<SamlPilotAgw> --tenantuid=xxx

# If you prefer to use metadata URL:
.\ConfigureSystem.exe apply-saml-configuration --metadata-url=<URL> --state=<SamlPilotAgw> --tenantuid=xxx

# Optional: if needed, see helptext and other supported operations
.\ConfigureSystem.exe help apply-saml-configuration
.\ConfigureSystem.exe help clear-saml-configuration
.\ConfigureSystem.exe help export-saml-configuration

Ensure correct TenantUID is passed. Also note that following "state" values are supported in the command line argument above:

  • AgwOnly: only allow operators to sign on via AGW; SAML disabled / AGW enabled
  • SamlPilotAgw: allow operators to perform IdP-initiated SSO, while keeping the default sign on provider as AGW; both SAML and AGW enabled
  • SamlAgw: allow operators to perform IdP and SP-initiated SSO with default sign on provider as SAML; both SAML and AGW enabled
  • SamlOnly:  allow operators to perform IdP and SP-initiated SSO with default sign on provider as SAML; SAML enabled / AGW disabled

After running ConfigureSystem.exe, you will need to restart IIS for the changes to take effect.


THAT'S IT ABOUT CONFIGURING SSO/SAML FOR PARTNER/MULTI-TENANT SYSTEM.


 

Other WebUI configurations

Configuring SP default timeout in FlexNet Manager Suite

Supported: FlexNet Manager Suite On-premise 2020 R1+

This is to configure the default timeout to determine how long FlexNet Manager Suite should keep local session before attempting to re-authenticate with the IdP.

As per specification, SAML supports IdP-provided value for the SP timeout by specifying  <sessionNotOnOrAfter> attribute within the SAML response sent from the IdP to SP. However, that is an optional specification and not all IdPs may support sending this value.

As alternative, you can configure default timeout value in FlexNet Manager Suite by:

Cloud

  • Specify the default timeout value in Web UI > System Settings > Security page.

On-premise

  • Specify the value via a database setting by executing the following SQL in your Compliance database:
DECLARE @TimeoutInMinutes INT = 60		-- 60 minutes
DECLARE @SettingNameID INT = (SELECT SettingNameID FROM dbo.SettingName WHERE [Name] = 'LoginTimeoutMinutes')
EXEC ComplianceTenantSettingPutBySettingNameID @SettingNameID, @TimeoutInMinutes

Automatically creating unknown operators

This setting is defaulted to true. To simplify creation of new operators in FlexNet Manager Suite, you can specify the following settings in your web.config file, located within %installdirectory%\FlexNet Manager Platform\WebUI directory.

When the setting is set to true, a new operator will automatically be created in FlexNet Manager Suite upon first successful SSO. However on its own, this setting will not automatically grant any role to the operator. As such, the operator will see a "No role" page and will require FlexNet Manager Suite administrator to grant an explicit role to that operator.

To change this behavior, specify either "true" or "false" in the "createUnknownOperator" value below.

<signOn authenticationType="Saml" authenticationLogin="" createUnknownOperator="true" ... ></signOn>

Using custom attribute in place of Name ID attribute

This is typically not required for standard setup. It is recommended to leave "authenticationLogin" value empty.

The Name ID attribute (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier) is typically sent by your IdP and used by FlexNet Manager Suite to uniquely identify an operator login identity. This value can be john.doe@flexera.com, for example.

However if you have a special use case where you want a different attribute (not Name ID attribute) to be used as the operator identifier, you will need to specify the custom attribute name/type in the "authenticationLogin" value below. 

<signOn authenticationType="Saml" authenticationLogin="OperatorLogin" createUnknownOperator="true" ... ></signOn>

In the example above, FlexNet Manager Suite will expect the "OperatorLogin" attribute to exist in the SAML response sent by the IdP, and will use this value to uniquely identify an operator login identity.

Configuring outgoing requests from SP to the IdP to be signed

This is typically not required for standard setup.

Certain SAML operations such as Single Logout (SLO) requires outgoing requests from SP to the IdP to be signed. For example when triggering an SP-initiated SLO, the IdP needs to trust that the saml2p:LogoutRequest payload indeed comes from FlexNet Manager Suite, before logging out the user from the IdP and all other non-Flexera applications which support SLO.

To sign outgoing SAML requests, you first need to acquire a public/private key pair to be used for signing purpose. Talk to your IT/Security expert who can help you with this. It is your responsibility to keep the said private key secure.

Once you have the private key file, import it into the certificate store in your FlexNet Manager Suite server. And then go to your web.config file, locate the <kentor.authServices> element, and set the authenticateRequestSigningBehavior from "Never" to "Always", which indicates we want outgoing requests from SP to the IdP to be signed.

You will then need to supply the path to the private key in Windows certificate store within the <serviceCertificates> element, i.e.

<kentor.authServices entityId="https://flexnet.myorganization.com/Suite" returnUrl="https://flexnet.myorganization.com/Suite/AuthServices" authenticateRequestSigningBehavior="Always">
    <identityProviders>
        <add entityId="REPLACE_WITH_ENTITY_ID" signOnUrl="REPLACE_WITH_SSO_URL" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" loadMetadata="true" metadataLocation="~/App_Data/metadata.xml">
            <signingCertificate fileName="~/App_Data/okta.cert" />
        </add>
    </identityProviders>
    <serviceCertificates>
        <add storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" findValue="sso.flexnet.myorganization.com" use="Signing" />
    </serviceCertificates>
</kentor.authServices>

In the above example, the key to be used for signing will be located from Certificate Store (Local Machine) > Personal > Certificates > a certificate matching subject name: "sso.flexnet.myorganization.com". Note that the criteria here has to match exactly one certificate.

Alternatively, you can configure these attributes differently to locate the signing certificate; refer to the external documentation below:

Was this article helpful? Yes No
100% helpful (1/1)
Version history
Revision #:
6 of 6
Last update:
‎Aug 12, 2020 01:56 AM
Updated by:
 
Contributors