The Community is now in read-only mode to prepare for the launch of the new Flexera Community. During this time, you will be unable to register, log in, or access customer resources. Click here for more information.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSO Integration with Flexera One approach and best practices

winvarma
By
Level 10

Hi Team, we are in the process of integrating Azure SSO with Flexera One ITAM and please help with the steps to be followed by Azure Admin and Flexera Admin and any kind of documentation apart from the references which we have in Flexera published url's like https://docs.flexera.com, https://docs.flexera.com/flexera/EN/Administration/AzureADSSO.htm.

There is a reference link in Azure tutorials suggesting how integration can be done https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/flexera-one-tutorial  and there is a query on this.

As per the tutorial steps as mentioned below how to get the 'ID' does it mean Identity provider or the organisation id? Do we have to contact flexera support as suggested in the snapshot?

How are the Azure Ad groups created for this integration to provide permissions to the users going to authenticate and how are the roles going to be assigned once integration is done? Are the users who are using SSO Authentication going to land on the Dashboard page?

what additional tasks to be done at Flexera end for enabling the users with required access? As we don't have AD integrated in our solution asking this question.

Appreciate your thoughts and suggestions.

(9) Replies

ChrisG
By Level 20 Flexeran
Level 20 Flexeran

@winvarma wrote:

As per the tutorial steps as mentioned below how to get the 'ID' does it mean Identity provider or the organisation id? Do we have to contact flexera support as suggested in the snapshot?

If I'm following right, I think you are referring to step 4 under the heading "Configure Azure AD SSO" on the Microsoft tutorial page.

See the information under the heading "Step 5: Setting Up Azure AD SSO with SAML 2.0" in the Flexera One documentation for where to get the relevant values to put in to these fields in the Azure AD single sign-on configuration.


@winvarma wrote:

How are the Azure Ad groups created for this integration to provide permissions to the users going to authenticate and how are the roles going to be assigned once integration is done?

AD groups would be created according to whatever process the organization normally uses to create AD groups. Flexera One does not place any particular requirements on how groups are created.

To give a group (or user) access to Flexera One, see the steps under the heading "Step 6: Testing the Azure AD SSO > Assigning a User or Group to Test the Azure AD SSO" on the Flexera One documentation page.

See the following page for guidance on how to apply roles for groups: Creating and Managing User Groups.

@winvarma wrote:

Are the users who are using SSO Authentication going to land on the Dashboard page?

Users normally land on the Flexera One "Getting Started" home page after signing in.

 

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

Hi @ChrisG ,thanks for the swift response.

Please clarify how to get the below values populated and is it from Azure once Application is on boarded? As in our case Azure team is asking us to provide the values in steps 3 and 4 URL's <someChars>.

On Azure’s Setup Single Sign-On with SAML screen, click the pencil icon to edit the Basic SAML Configuration.

2.

In the Identifier (Entity ID) field, copy and paste Flexera One’s Service Provider Entity ID. The information to be copied is generated in step 4 of Step 4: Setting Up an Identity Provider in Flexera One.

3.

In the Reply URL (Assertion Consumer Service URL) field, copy and paste Flexera One’s Assertion Consumer Service (ACS) URL. For example:

https://secure.flexera.com/sso/saml2/<someChars>

4.

In the Sign on URL field, copy and paste Flexera One’s Assertion Consumer Service (ACS) URL. For example:

https://secure.flexera.com/sso/saml2/<someChars>

5.

Click Save.

 

ChrisG
By Level 20 Flexeran
Level 20 Flexeran

The fields that you are referring to there are available from the "General" tab when you select the Administration > Identity Providers menu option in Flexera One:

image.png

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

Hi @ChrisG , 

We are yet get the SAML IDP's application signature certificate from SSO admin.

So as per your inputs the details will be populated once the Flexera application is first onboarded and once they share the Signature certificate

Hi @ChrisG , Please help if my understanding is correct as mentioned above

ChrisG
By Level 20 Flexeran
Level 20 Flexeran

If I'm following right, I think you are saying that steps 3 and 4 to set up the certificate and other details in Flexera One need to be done before step 5 where you get the values to configure in Azure AD SSO. That is correct: the steps should be done in the order documented.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

winvarma
By
Level 10

Hi @ChrisG , we are trying to do the SSO integration and when we browse the IDP SAML Signature certificate its showing invalid certificate. Any suggestions?

ChrisG
By Level 20 Flexeran
Level 20 Flexeran

I don't know exactly what you're looking at here, but it sounds a little different from the core questions that were raised at the start of this thread. To keep each forum thread focused on a single topic/question, maybe start a new thread including a screenshot illustrating what you're trying to do and the error you're seeing.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

winvarma
By
Level 10

Hi All, thanks for the response and guidance. Finally we are done with SSO and Flexera One integration with the help of support. Anyone trying to do SSO integration should reach out to Flexera support for getting few details required to be populated while adding New Identity provider and in our case the initial details are populated by Flexera support and later the fields related to SSO url's are provided by internal teams and then validating the domains.

Property

Value

Identify Provider Name

your name for identifying the Identity provider

Assertion consumer service (ACS) URL

Contact Flexera Support for this URL

Service provider entity ID

Contact Flexera Support for this URL

Issuer URI

Values will be populated once the application gets created in Azure and will be unique to Identity Provider

Issuer URL (aka: Identifier Entity ID/Audience URI SP Identity ID )

 Values will be populated once the application gets created in Azure and will be unique to Identity Provider

Discovery Hint

Unique values to help users navigate more quickly to your organisation’s federated identity provider sign-in page

Signature Certificate

Values will be populated once the application gets created in Azure and application SAML certificate is imported from into Identity provided created in Flexera one SSO integration 

Request Binding

HTTP-POST

posting the update which might help other folks on the community.

regards,