Ultimate SSO / SAML configuration guide in FlexNet Manager Suite

Ultimate SSO / SAML configuration guide in FlexNet Manager Suite

Purpose of this article

This articles aims to provide a practical guide to configure SSO / SAML for your FlexNet Manager Suite On-premise system. If you are using our cloud offering prior to Flexera Identity and Access Management (IAM) integration, then the contents of this article will also be relevant for you.

How to configure Single Sign On (SSO)

Configuring SSO is a two step process as follows.

Step 1 - Identity Provider (IdP) configuration

To configure SSO for a specific IdP vendor, refer to sub-articles below:

  • Okta: refer to "Configuring SAML application in Okta" section within Okta configuration guide.
  • Other Identity Providers: no specific guide currently available; refer to Okta guide and apply similar configuration in your IdP.

Step 2 - Service Provider (SP) configuration

Refer to "Configuring SAML in WebUI" section within WebUI configuration guide.


THAT'S IT ABOUT CONFIGURING SSO.


 

How to configure Single Logout (SLO)

Prerequisites:

  • This is an advanced configuration and typically not required by many organizations. You will need to acquire a public/private key pair used for signing requests from FlexNet Manager Suite (SP) to the Identity Provider (IdP).
  • Single Logout (SLO) is currently only supported in FlexNet Manager Suite On-premise offering.
  • Your IdP has to support Single Logout (SLO).

Configuring SLO is yet another two step process as follows.

Step 1 - Service Provider (SP) configuration

Single Logout requires outgoing requests from SP to IdP to be signed. Refer to "Configuring outgoing requests from SP to the IdP to be signed" section within WebUI configuration guide to complete this step.

Step 2 - Identity Provider (IdP) configuration

To configure SLO for a specific IdP vendor, refer to sub-articles below:

  • Okta: refer to "Enabling Single Logout in Okta" section within Okta configuration guide.
  • Other Identity Providers: no specific guide currently available; refer to Okta guide and apply similar configuration in your IdP.

THAT'S IT ABOUT CONFIGURING SLO.


 

Appendix

Key terminologies

  • SAML: Security Assertion Markup Language
    Open standard for exchanging authentication and authorization data between Identity Provider and Service Provider through digitally signed SAML requests and responses. FlexNet Manager Suite supports SAML 2.0.

  • IdP: Identity Provider
    A service that stores and verifies user identity. This will be the entity you are trusting to authenticate users to FlexNet Manager Suite.

  • SP: Service Provider
    Your FlexNet Manager Suite system that will be receiving and accepting authentication from the IdP.

  • Single Sign On (SSO)
    A process which allows your user to sign on once to your IdP, and in turn gain access to all applications within your organization.

  • Single Logout (SLO)
    A process which allows your user to log out once from either the SP or the IdP, that will in turn logout the user from all applications. Whether you want SLO to be implemented will depend on your business use case. Many businesses chose not to implement this as they don't want logging out from the SP to trigger a global logout from the IdP and other applications within the organization. Note that SLO is supported in FlexNet Manager Suite On-premise as of today.

  • IdP-initiated SSO / SLO
    This means that user starts a Single Sign On (SSO) or Single Logout (SLO) workflow from the IdP. For example if your user logs in to Okta and then select 'FlexNet Manager Suite' application, then this will be called IdP-initiated SSO.

  • SP-initiated SSO / SLO
    This means that user starts a Single Sign On (SSO) or Single Logout (SLO) workflow from the SP. For example if your user hits https://myorganization.flexera.com and gets redirected to the IdP to complete to the sign on process, then this will be called SP-initiated SSO.

  • FlexNet Manager Suite URL / SP URL:
    This is the URL your operators use to access FlexNet Manager Suite in their browser. For the purpose of this guide, we will assume this to be https://flexnet.myorganization.com/Suite. Anytime this URL is referenced, you will have to replace this with the actual application URL.
Was this article helpful? Yes No
No ratings
Comments

@kent-au  Its a simple and straight forward document which will help us like anything for easy integration of Okta with FNMS.

it will be great we can have such detailed configuration article or documentation about Ibm cognos configuration with Okta

 

Regards,

junaid vengadan

 

@junaid_vengadan - The authentication to Cognos is built into FlexNet Manager as part of the installation.  Authentication to Cognos is directly from FlexNet Manager.  In other words, you cannot log directly into Cognos outside of FlexNet.  Therefore, integration with OKTA is not needed for Cognos.

You must first log into FlexNet Manager using OKTA, and once you are logged into Cognos, your security roles within FlexNet Manager indicate if you can connect/log into Cognos.

@kclausen  , thanks a lot for your feedback .

 

Just to clarify , i can see there is some configuration for Cognos SSO is mentioned in the System reference document  , Pleases refer the point number 6 in the following page.

https://docs.flexera.com/FlexNetManagerSuite2020R2/EN/SystemRef/index.html#SysRef/Authentication/tas... 

i'm confused in choosing the actual approach as i'm getting an erroe when following the above method.

 

Regards,

Junaid Vengadan

@kent-au @kclausen  

Just to update...

 

for me the congos access is working only when i configure the SSO at Cognos servers side as well.

i followed  System reference document  and it is working fine with some minor modifications.

 

Regards,

Junaid Vengadan

@junaid_vengadan - Thank you for the update and happy to hear that you got the SSO working for Cognos Analytics.

Version history
Revision #:
18 of 18
Last update:
‎Aug 07, 2020 04:26 AM
Updated by:
 
Contributors