This article is a part of a wider topic, see parent page. Checking the error logs If you are using FlexNet Manager Suite Cloud, you will need to provide the Error ID to Support. If you are using FlexNet Manager Suite On-premise offering, you can enable debug-level logging and analyze the error logs yourself. To enable debug-level logging: Modify the log level for the following items to "DEBUG" in %programdata%\Flexera Software\Compliance\Logging\WebUI.config file. Kentor.AuthServices (default: "WARN") Root (default: "INFO") Restart IIS. Perform the same action which led to the error you encountered before (it will now emit debug-level logging). Accessing the logs: The WebUI log is accessible in %programdata%\Flexera Software\Compliance\Logging\WebUI\webui.log file. Notice that most authentication-related errors with SAML begin with generic error message. The actual error log which is valuable is found in the end of line. For example, ManageSoft.Compliance.Security.Sso.SamlCoreException: There is problem while authenticating via SAML. Please make sure (a) that the web.config element 'kentor.authServices' is correctly configured, and (b) that the web server can connect to the configured SAML identity provider (if automatic metadata download is enabled). ---> System.Configuration.ConfigurationErrorsException: Unexpected entity id "https://sts.windows.net/xxx/" found when loading metadata for "https://sts.windows.net/yyy/". at Kentor.AuthServices.IdentityProvider.ReadMetadata(ExtendedEntityDescriptor metadata) at Kentor.AuthServices.IdentityProvider.DoLoadMetadata()  In the above log, the error log you will be interested to analyze will be: System.Configuration.ConfigurationErrorsException: Unexpected entity id "https://sts.windows.net/xxx/" found when loading metadata for "https://sts.windows.net/xxx/" at ...​ Common errors and possible resolutions #1 - Operator not being assigned to any role Note that this is expected in most cases and not an actual SAML configuration issue. In fact you probably got things working if this is the only error you notice in the log file. Example log: User hello@flexera.com has no access rights in tenant Resolution: Ask your FlexNet Manager Suite administrator to assign you to a role via the Web UI. If you are the administrator, either assign yourself to Administrator role via the database, or ensure you pass 'FnmsAdmin' claim set to 'true' for only yourself (and not other users/operators who are not meant to be granted administrator role upon first sign on). If you prefer to do this via database, you can run the following command: EXEC dbo.GrantOperatorFullAccess 'hello@flexera.com' #2 - AudienceRestrictionCondition is not valid Example log: System.IdentityModel.Tokens.AudienceUriValidationFailedException: ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris Resolution: Check that the Audience URL configured in the IdP match your FlexNet Manager Suite URL (e.g. https://flexnet.myorganization.com/Suite) or the return URL. Keep in mind that there typically should not be any trailing slash and the URL is case-sensitive. Don't forget to check 'http' vs 'https'. #3 -   Invalid service certificates / null reference exception Example log: System.NullReferenceException: Object reference not set to an instance of an object. at Kentor.AuthServices.Configuration.ServiceCertificateCollection.InsertItem(Int32 index, ServiceCertificate item) at Kentor.AuthServices.Configuration.ServiceCertificateElementCollection.RegisterServiceCertificates(SPOptions options) Resolution: In your web.config within kentor.authServices section remove or comment out service certificates with invalid fileName reference, i.e. <serviceCertificates> <!-- Remove or comment the following: --> <!-- <add fileName="" /> --> </serviceCertificates> #4 -   No IdP with Entity ID xxx found / unexpected Entity ID found Example log: System.Collections.Generic.KeyNotFoundException: No Idp with entity id "..." found. ---> System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary. at System.ThrowHelper.ThrowKeyNotFoundException() OR System.Configuration.ConfigurationErrorsException: Unexpected entity id "urn:internal:federation:xxx" found when loading metadata for "urn:federation:xxx" Resolution: The EntityID you configured in <identityProviders> section in your web.config is not correct. Inspect the SAML response sent by the IdP to see the Entity ID included in the SAML response. Make sure this match what's set in web.config. Also verify that the Entity ID set in the IdP is correct and is a valid URL. It does not have to point to an actual location on the web i.e. Entity ID should be http://okta.com/xxx instead of OKTA_XXX. Remember that Entity ID in the parent <kentor.authServices> is different from the Entity ID in <identityProviders> section. In typical setup the former will simply be your FlexNet Manager Suite URL, and the latter will be the Entity ID supplied by your IdP (e.g. http://www.okta.com/xxx). #5 -   Failed signature validation Example log: Kentor.AuthServices.Exceptions.InvalidSignatureException: Message from https://okta.com/xxx failed signature verification Resolution: Verify that the public certificate you configured in SP via <signingCertificate> section matches the private key of your IdP. Verify that the private certificate you configured in SP via <serviceCertificates> section matches the public key you supplied to your IdP. #6 -   Signature didn't verify or contents tampered Example log: Kentor.AuthServices.Exceptions.InvalidSignatureException: Signature didn't verify. Have the contents been tampered with? at Kentor.AuthServices.XmlHelpers.VerifySignature(IEnumerable`1 signingKeys, SignedXml signedXml, XmlElement signatureElement, Boolean validateCertificate) at Kentor.AuthServices.XmlHelpers.IsSignedByAny(XmlElement xmlElement, IEnumerable`1 signingKeys, Boolean validateCertificate, String minimumSigningAlgorithm) at Kentor.AuthServices.Saml2P.Saml2Response.ValidateSignature(IOptions options) Resolution: Verify that the public certificate you configured in SP via <signingCertificate> section matches the private key of your IdP. Ensure there is no extra spacing/formatting/invisible characters in the public certificate you provided, or in the SAML responses being received by your IdP. #7 -   The signature verified correctly but that key is not trusted Example log: Kentor.AuthServices.Exceptions.InvalidSignatureException: The signature verified correctly with the key contained in the signature, but that key is not trusted. Resolution: Verify that the public key provided by your IdP team i.e. the one you configured within <signingCertificate> section in web.config. If the metadata contains the same public key, does it have different contents from the one you configured within <signingCertificate> section in web.config? Talk to your IdP team whether the certificate they provided is correct for the SP you are configuring. There are cases where your IdP team may have different environments (e.g. staging.myidp.com and prod.myidp.com). If that is the case, did you IdP team provide you public key for the correct environment? #8 -   Signed AuthenticateRequests expected but no service certificates are configured Example log: System.Configuration.ConfigurationErrorsException: Idp "http://www.okta.com/xxx" is configured for signed AuthenticateRequests, but ServiceCertificates configuration contains no certificate with usage "Signing" or "Both". To resolve this issue you can a) add a service certificate with usage "Signing" or "Both" (default if not specified is "Both") or b) Set the AuthenticateRequestSigningBehavior configuration property to "Never". Resolution: In typical setup, you can set AuthenticateRequestSigningBehavior to "Never" in web.config file. In advanced setup if you prefer to set up service certificates (required for SLO/assertion encryption), then ensure you set AuthenticateRequestSigningBehavior to "Always" and specify a valid certificate within <serviceCertificates> section. #9 -   Unable to load certificate file Example log: System.Security.Cryptography.CryptographicException: The system cannot find the file specified. at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) at System.Security.Cryptography.X509Certificates.X509Utils._QueryCertFileType(String fileName) at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags) Resolution: This error indicates that certificate you specified either in <signingCertificate> or <serviceCertificates> cannot be found. Double check the certificate path you specified (either via file path or reference to Certificate Store path). #10 -   A unique match to certificate path is required Example log: System.InvalidOperationException: Finding cert through FindBySubjectName in LocalMachine:My with value flexnet.myorganization.com matched 2 certificates. A unique match is required. Resolution: Modify the store certificate path in web.config to use different find mechanism that will result in one certificate being found. For example, you can change findType to  FindByThumbprint ,  FindBySerialNumber, etc. Use another certificate with unique subject name. Proceed with caution: delete the duplicate certificates which are not relevant from the Certificate Store. #11 -   Cannot verify signature of message from unknown sender Example log: Kentor.AuthServices.Exceptions.InvalidSignatureException: Cannot verify signature of message from unknown sender https://localhost:44300/Metadata Resolution: Verify the Entity ID set in <identityProviders> section in web.config and that it matches the Entity ID supplied by your IdP (or in the SAML response). #12 -   IdP returns status AuthnFailed Example log: Kentor.AuthServices.Exceptions.UnsuccessfulSamlOperationException: Idp returned status "AuthnFailed", indicating that the single logout failed. The local session has been successfully terminated. Resolution: This means that your IdP is unable to authenticate you, which can be caused by various reasons. Talk to your IdP team or IdP vendor to get the relevant logs. In Okta, you can view the logs by going to Okta admin page (classic UI) > FlexNet Manager Suite On-premise > View logs. Some possible logs might be: Malformed request: check the SAML request sent to the IdP (refer to how you can inspect SAML requests/responses exchanged section). Issuer does not match: the certificate issuer you configured in <serviceCertificates> section may no match the issuer you configured in the IdP. Invalid signature: the IdP is not able to verify the signature of your signed SAML requests and you should check the private certificate you configured in <serviceCertificates> section in web.config and compare it to the corresponding public key you uploaded/provided to your IdP. Unauthorized: check the user permission in the IdP and whether the user is correctly assigned to the SAML application, the user is not suspended, etc. #13 -   Invalid provider type specified Example log: System.Security.Cryptography.CryptographicException: Invalid provider type specified. Resolution: If you generated a self-signed certificate and/or you are configuring <serviceCertificates> section, it might be a problem with the certificate not being generated using the correct API. For example if you used PowerShell's New-SelfSignedCertificate command, you may need to specify -KeySpec KeyExchange when generating the self signed certificate. #14 -   Received message contains unexpected InResponseTo Example log: Kentor.AuthServices.Exceptions.UnexpectedInResponseToException: Received message contains unexpected InResponseTo "id58c95ac8acce4ccd85826688510f5129". No cookie preserving state from the request was found so the message was not expected to have an InResponseTo attribute. This error typically occurs if the cookie set when doing SP-initiated sign on have been lost. Resolution: Ensure cookie is enabled in the browser. Clear all cookies from your browser (or try in browser private/incognito mode). If you have a load balancing farm you need to synchronize machine key as otherwise one server won't be able to encrypt cookies set by another server. #15 -   Unable to connect to remote server / operation time out when loading Metadata URL Example log: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:44300 ... at System.Net.WebClient.OpenRead(Uri address) at Kentor.AuthServices.Metadata.MetadataLoader.Load(String metadataLocation) OR System.Net.WebException: The operation has timed out at System.Net.WebClient.OpenRead(Uri address) at Kentor.AuthServices.Metadata.MetadataLoader.Load(String metadataLocation) Resolution: This likely happens when you set metadataLocation as metadata URL in web.config. Ensure your SP can download the specified metadata URL i.e. try hitting the metadata URL manually from a browser sitting in FlexNet Manager Suite server. #16 -   SAML operation cannot be processed because it is not signed Example log: Kentor.AuthServices.Exceptions.UnsuccessfulSamlOperationException: Received a LogoutResponse from http://localhost:44300/8a9c3d9f-3228-4d96-9c69-00000000/Metadata that cannot be processed because it is not signed. Resolution: Some SAML operations such as SLO require signed requests to be sent. For example, your SP cannot trust an IdP-initiated SLO if the saml2p;LogoutRequest sent by the IdP is not signed. To resolve this, talk to your IdP team and ensure such requests are signed so the SP can trust it. #17 -   No Saml2 Response found Example log: Kentor.AuthServices.Exceptions.NoSamlResponseFoundException: No Saml2 Response found in the http request. at Kentor.AuthServices.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options) Resolution: Verify the Assertion Consumer Service (ACS) URL set, which should be https://myorganization.flexera.com/Suite/AuthServices/Acs. #18 -  Invalid account: please enter a valid email address (FlexNet Manager Suite Cloud) Example log: ManageSoft.Compliance.Security.Sso.SamlCoreException: Invalid account: please enter a valid email address. at Flexera.Web.Presentation.Security.SingleSignOnTenantSaml.ValidateIdentityUsername(String username) Resolution: Inspect the Name ID supplied in the SAML response (or if you set a custom authenticationLogin value in web.config e.g. "OperatorLogin", then inspect the "OperatorLogin" attribute value supplied in the SAML response). The Name ID / operator identifier have to be a valid email address. #19 -   The SAML Response is not signed and contains unsigned Assertions Example log: Kentor.AuthServices.Exceptions.Saml2ResponseFailedValidationException: The SAML Response is not signed and contains unsigned Assertions. Response cannot be trusted. at Kentor.AuthServices.Saml2P.Saml2Response.ValidateSignature(IOptions options) Resolution: Inspect the SAML response returned by your IdP is signed. Alternatively, set WantAuthnRequestsSigned to "false" in your metadata file, similar to below: <EntityDescriptor entityID="..." ...> <IDPSSODescriptor WantAuthnRequestsSigned="false" ...>.../IDPSSODescriptor> </EntityDescriptor> #20 -  SP timeout /  SessionNotOnOrAfter value is out of range Example log: System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values. Parameter name: validFrom at System.IdentityModel.Tokens.SessionSecurityToken..ctor(ClaimsPrincipal claimsPrincipal, UniqueId contextId, String id, String context, Byte[] key, String endpointId, Nullable`1 validFrom, Nullable`1 validTo, UniqueId keyGeneration, Nullable`1 keyEffectiveTime, Nullable`1 keyExpirationTime, SctAuthorizationPolicy sctAuthorizationPolicy, Uri securityContextSecurityTokenWrapperSecureConversationVersion) at System.IdentityModel.Tokens.SessionSecurityToken..ctor(ClaimsPrincipal claimsPrincipal, UniqueId contextId, String context, String endpointId, Nullable`1 validFrom, Nullable`1 validTo, SymmetricSecurityKey key) at System.IdentityModel.Tokens.SessionSecurityToken..ctor(ClaimsPrincipal claimsPrincipal, String context, Nullable`1 validFrom, Nullable`1 validTo) at Kentor.AuthServices.HttpModule.CommandResultHttpExtension.SignInOrOutSessionAuthenticationModule(CommandResult commandResult) Root cause: First, inspect the SAML response whether  SessionNotOnOrAfter attribute is provided (which is the attribute which controls the SP session lifetime, before it has to re-authenticate with the IdP): If not, it will be defaulted to UTC current date + timeout value configured. The timeout value configured will the be the default session lifetime configured in FlexNet Manager Suite/IIS, or alternatively from 2020 R1 onward, the default timeout will be retrieved from 'LoginTimeoutMinutes' value in compliance tenant setting. If the value calculated from previous step is of earlier date/time than current UTC date, then this error will be thrown Resolution: Ensure  SessionNotOnOrAfter provided is in UTC time and is not earlier than current UTC time. Applicable to 2020 R1 onward: ensure 'LoginTimeoutMinutes' set in database is not a negative value. #21 -   Provided certificate is not valid because it does not contain a private key This means that the certificate you configured in <serviceCertificates> section in web.config does not contain a private key to sign outgoing SAML requests from SP to the IdP. Resolution: If you specified a store reference path, make sure you don't add it in CA where private key can't be stored. Inspecting the SAML requests and responses exchanged In your browser, from example in Chrome, you can open the Developer Tools and open the Networks tab while trying to log in via SAML. You may need to check 'Preserve Log' option. Once you have done this, when performing SSO via SAML, you will be able to see all the HTTP requests happening behind the scenes. These HTTP requests will contain the SAML requests and responses exchanged between the Idp and SP. To make things simpler - you can use any SAML message decoder plugin of your choice to easily inspect the SAML requests/responses exchanged. Some ideas on what you can inspect: If you get an error relating to Name ID being of unexpected format, inspect the Name ID in the SAML response. If you are wondering why operator details are not populated correctly (refer to attributes supported), inspect the attribute in the SAML response. etc. Sample SAML request: Sample SAML request Sample SAML response Some information you may be interested in are highlighted in yellow Sample SAML response Using StubIdP for testing purpose Heads up: Never configure your FlexNet Manager Suite production environment with StubIdp. It is highly recommended to disable network access to the FlexNet Manager Suite system in such a way that only you can access the system.  Ignoring the above warnings can lead to people gaining unauthorized access to your system   - as you will be using StubIdP (essentially a mock/fake IdP which allows you to impersonate any identity without needing any credentials). If you are a FlexNet Manager Suite administrator and wants to test run the configuration prior to engaging with your IdP team, or you have been in back-and-forth discussions with your IdP team and the configuration just doesn't seem right, then using StubIdp might be the right choice for you. Go to https://stubidp.sustainsys.com/ Create your own tenant by going to StubIdp homepage > click on "create your own IdP tenant". You will need to do this on your own and in turn you will get a unique URL   similar   to   https://stubidp.sustainsys.com/1506e6c0-d2b0-49e8-919a-00000000000. Replace any reference to this URL with your own in the proceeding steps. Fill in the following details to automatically pre-fill Assertion Consumer Service URL, Audience URL, predefined users, and Attribute Statements:   { "HideDetails": false, "UserList": [ { "DisplayName": "Admin User", "Description": "A user who will be granted Administrator rights upon first login", "Assertion": { "NameId": "admin@myorganization.com", "AttributeStatements": [ { "Type": "FnmsAdmin", "Value": "true" } ] } } ], "DefaultAssertionConsumerServiceUrl": "https://myorganization.flexera.com/Suite/AuthServices/Acs", "DefaultAudience": "https://myorganization.flexera.com/Suite", "IdpDescription": "FlexNet StubIdP - testing only" }   The above snippet includes what you should put for the Assertion Consumer Service URL, Audience URL, etc. Alternatively, refer to the parent article for specific IdP configuration guides. You can download the metadata file from  https://stubidp.sustainsys.com/1506e6c0-d2b0-49e8-919a-00000000000/Metadata and rename it to metadata.xml. You can download the IdP public certificate from https://stubidp.sustainsys.com/1506e6c0-d2b0-49e8-919a-00000000000/Certificate. In your web.config, refer to previous section about supplying metadata and other relevant information in your FlexNet Manager Suite system. In web.config, you will essentially have something similar to:   <kentor.authServices entityId="https://flexnet.myorganization.com/Suite" returnUrl="https://flexnet.myorganization.com/Suite/AuthServices" authenticateRequestSigningBehavior="Never"> <identityProviders> <add entityId="https://stubidp.sustainsys.com/1506e6c0-d2b0-49e8-919a-00000000000/Metadata" signOnUrl="https://stubidp.sustainsys.com/1506e6c0-d2b0-49e8-919a-00000000000" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" loadMetadata="true" metadataLocation="~/App_Data/metadata.xml"> <signingCertificate fileName="~/App_Data/stubidp.sustainsys.com.cer" /> </add> </identityProviders> <serviceCertificates> <!-- Not needed in typical setup unless you want to configure SLO. --> <!--<add storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" findValue="flexnet.myorganization.com" use="Signing" />--> </serviceCertificates> </kentor.authServices>   When you hit FlexNet Manager Suite URL, you will be redirected to StubIdP where you can choose to impersonate any user. If you use the predefined values above, you should see "Admin User" in the dropdown. Select any user and hit on the 'Login' button. If that works successfully, you can be sure that you have configured SAML successfully in FNMS, and can provide the relevant values below for your IdP team to create the actual SAML application you will be using in your production environment: Assertion Consumer Service URL Audience URL The expected Name ID value (typically email address) Optionally any attribute statements they should pass along the FlexNet Manager Suite Have them provide the IdP X.509 public certificate so you can configure them in the signingCertificate section in web.config file above etc. ... View more

This article is a part of a wider topic, see parent page. Configuring SAML in WebUI (Cloud) Prerequisites: You have the following information which you acquired from your IdP: Metadata.xml file or metadata URL IdP X.509 public key certificate (optional) must be included as part of the metadata (not separate file) To configure SAML in FlexNet Manager Suite Cloud, simply upload your metadata file or URL via Web UI > System Settings > Security page. THAT'S IT ABOUT CONFIGURING SSO/SAML FOR CLOUD. If everything is configured correctly, both SP-initiated and IdP-initiated Single Sign On (SSO) should work as expected. If not, see the  troubleshooting guide and list of common errors .   Configuring SAML in WebUI (On-premise) Prerequisites: You have the following information which you acquired from your IdP (On-premise): Metadata.xml file or metadata URL IdP X.509 public key certificate Entity ID and SSO URL Step 1 - Backup your web.config file Located in  %installdirectory%\FlexNet Manager Platform\WebUI\web.config Step 2 - Disabling Windows Authentication and enabling Forms and Anonymous Authentication Go to IIS Manager in your FlexNet Manager Suite server. Go to Default Web Site > Suite > Authentication Disable Windows Authentication Enable Forms Authentication and Anonymous Authentication Repeat the above steps for SAPOptimization and ECMBusinessPortal sub applications within the Default Web Site. Step 3 - Copying the metadata file and IdP public key (signing certificate) If you prefer to use metadata URL and the IdP X.509 public certificate file is already included in your metadata, ignore this step. Create "App_Data" directory in %installdirectory%\FlexNet Manager Platform\WebUI\App_Data Copy metadata.xml file to the App_Data directory (unless you prefer to use metadata URL). Copy IdP X.509 public certificate file to the App_Data directory (unless the public certificate is already included in the metadata). Step 4 - Changing authentication type to SAML in the web.config In your web.config file, locate the following within <flexera.web> element and change authenticationType from "Windows" to "Saml". <signOn authenticationType="Windows" authenticationLogin="" createUnknownOperator="true" ... ></signOn> Step 5 - Configuring Kentor.AuthServices section in the web.config In your web.config file, locate the <Kentor.AuthServices> element and replace it with: <kentor.authServices entityId="https://flexnet.myorganization.com/Suite" returnUrl="https://flexnet.myorganization.com/Suite/AuthServices" authenticateRequestSigningBehavior="Never"> <identityProviders> <add entityId="REPLACE_WITH_ENTITY_ID" signOnUrl="REPLACE_WITH_SSO_URL" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" loadMetadata="true" metadataLocation="~/App_Data/metadata.xml"> <signingCertificate fileName="~/App_Data/okta.cert" /> </add> </identityProviders> <serviceCertificates></serviceCertificates> </kentor.authServices> In the identityProviders section, fill in the following values: Replace entityId and signOnUrl with the values you received from your IdP. If you prefer to use metadata URL, replace metadata location with the metadata URL (e.g. https://myidp.com/fnmssamlapp/metadata). If specified via file, ensure the path to metadata.xml file is correct. If IdP X.509 public certificate is already included in your metadata, completely remove the signingCertificate element. If specified via file, ensure the path to the public certificate file is correct. THAT'S IT ABOUT CONFIGURING SSO/SAML FOR ON-PREMISE. If everything is configured correctly, both SP-initiated and IdP-initiated Single Sign On (SSO) should work as expected. If not, see the  troubleshooting guide and list of common errors .   Configuring SAML in WebUI (Partner) Prerequisites: You have the following information which you acquired from your IdP: Metadata.xml file or metadata URL IdP X.509 public key certificate (optional) must be included as part of the metadata (not separate file) To configure SAML in FlexNet Manager Suite Partner/Multi-Tenant system, you can either: Log on to the tenant you want to configure SAML for, and upload your metadata file or URL via Web UI > System Settings > Security page; while being logged on to the desired tenant. Alternatively in FlexNet Manager Suite server,  navigate to %installdirectory%\DotNet\bin and execute either one of the commands below. # If you prefer to use metadata file: .\ConfigureSystem.exe apply-saml-configuration --metadata-file=<PATH> --state=<SamlPilotAgw> --tenantuid=xxx # If you prefer to use metadata URL: .\ConfigureSystem.exe apply-saml-configuration --metadata-url=<URL> --state=<SamlPilotAgw> --tenantuid=xxx # Optional: if needed, see helptext and other supported operations .\ConfigureSystem.exe help apply-saml-configuration .\ConfigureSystem.exe help clear-saml-configuration .\ConfigureSystem.exe help export-saml-configuration Ensure correct TenantUID is passed. Also note that following "state" values are supported in the command line argument above: AgwOnly: only allow operators to sign on via AGW; SAML disabled / AGW enabled SamlPilotAgw: allow operators to perform IdP-initiated SSO, while keeping the default sign on provider as AGW; both SAML and AGW enabled SamlAgw: allow operators to perform IdP and SP-initiated SSO with default sign on provider as SAML; both SAML and AGW enabled SamlOnly:  allow operators to perform IdP and SP-initiated SSO with default sign on provider as SAML; SAML enabled / AGW disabled After running ConfigureSystem.exe, you will need to restart IIS for the changes to take effect. THAT'S IT ABOUT CONFIGURING SSO/SAML FOR PARTNER/MULTI-TENANT SYSTEM. If everything is configured correctly, both SP-initiated and IdP-initiated Single Sign On (SSO) should work as expected. If not, see the  troubleshooting guide and list of common errors .   Other WebUI configurations Configuring SP default timeout in FlexNet Manager Suite Supported: FlexNet Manager Suite On-premise 2020 R1+ This is to configure the default timeout to determine how long FlexNet Manager Suite should keep local session before attempting to re-authenticate with the IdP. As per specification, SAML supports IdP-provided value for the SP timeout by specifying  <sessionNotOnOrAfter> attribute within the SAML response sent from the IdP to SP. However, that is an optional specification and not all IdPs may support sending this value. As alternative, you can configure default timeout value in FlexNet Manager Suite by: Cloud Specify the default timeout value in Web UI > System Settings > Security page. On-premise Specify the value via a database setting by executing the following SQL in your Compliance database: DECLARE @TimeoutInMinutes INT = 60 -- 60 minutes DECLARE @SettingNameID INT = (SELECT SettingNameID FROM dbo.SettingName WHERE [Name] = 'LoginTimeoutMinutes') EXEC ComplianceTenantSettingPutBySettingNameID @SettingNameID, @TimeoutInMinutes Automatically creating unknown operators This setting is defaulted to true. To simplify creation of new operators in FlexNet Manager Suite, you can specify the following settings in your web.config file, located within  %installdirectory%\FlexNet Manager Platform\WebUI directory. When the setting is set to true, a new operator will automatically be created in FlexNet Manager Suite upon first successful SSO. However on its own, this setting will not automatically grant any role to the operator. As such, the operator will see a "No role" page and will require FlexNet Manager Suite administrator to grant an explicit role to that operator. To change this behavior, specify either "true" or "false" in the "createUnknownOperator" value below. <signOn authenticationType="Saml" authenticationLogin="" createUnknownOperator="true" ... ></signOn> Using custom attribute in place of Name ID attribute This is typically not required for standard setup. It is recommended to leave "authenticationLogin" value empty. The Name ID attribute (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier) is typically sent by your IdP and used by FlexNet Manager Suite to uniquely identify an operator login identity. This value can be john.doe@flexera.com, for example. However if you have a special use case where you want a different attribute (not Name ID attribute) to be used as the operator identifier, you will need to specify the custom attribute name/type in the "authenticationLogin" value below.  <signOn authenticationType="Saml" authenticationLogin="OperatorLogin" createUnknownOperator="true" ... ></signOn> In the example above, FlexNet Manager Suite will expect the "OperatorLogin" attribute to exist in the SAML response sent by the IdP, and will use this value to uniquely identify an operator login identity. Configuring outgoing requests from SP to the IdP to be signed This is typically not required for standard setup. Certain SAML operations such as Single Logout (SLO) requires outgoing requests from SP to the IdP to be signed. For example when triggering an SP-initiated SLO, the IdP needs to trust that the saml2p:LogoutRequest payload indeed comes from FlexNet Manager Suite, before logging out the user from the IdP and all other non-Flexera applications which support SLO. To sign outgoing SAML requests, you first need to acquire a public/private key pair to be used for signing purpose. Talk to your IT/Security expert who can help you with this. It is your responsibility to keep the said private key secure. Once you have the private key file, import it into the certificate store in your FlexNet Manager Suite server. And then go to your web.config file, locate the <kentor.authServices> element, and set the authenticateRequestSigningBehavior from "Never" to "Always", which indicates we want outgoing requests from SP to the IdP to be signed. You will then need to supply the path to the private key in Windows certificate store within the <serviceCertificates> element, i.e. <kentor.authServices entityId="https://flexnet.myorganization.com/Suite" returnUrl="https://flexnet.myorganization.com/Suite/AuthServices" authenticateRequestSigningBehavior="Always"> <identityProviders> <add entityId="REPLACE_WITH_ENTITY_ID" signOnUrl="REPLACE_WITH_SSO_URL" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" loadMetadata="true" metadataLocation="~/App_Data/metadata.xml"> <signingCertificate fileName="~/App_Data/okta.cert" /> </add> </identityProviders> <serviceCertificates> <add storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" findValue="sso.flexnet.myorganization.com" use="Signing" /> </serviceCertificates> </kentor.authServices> In the above example, the key to be used for signing will be located from Certificate Store (Local Machine) > Personal > Certificates > a certificate matching subject name: "sso.flexnet.myorganization.com". Note that the criteria here has to match exactly one certificate. Alternatively, you can configure these attributes differently to locate the signing certificate; refer to the external documentation below: storeName: https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.storename?view=netframework-4.5 storeLocation: https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.storelocation?view=netframework-4.5 x509FindType: https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509findtype?view=netframework-4.5 findValue: specify the certificate subject, thumbprint, etc. depending on the x509FindType you decide to use. ... View more

This article is a part of a wider topic, see parent page. Configuring SAML application in Okta Step 1 - Creating the SAML application Go to Okta Admin and navigate to Applications page. Click on "Add Application" button and then click on "Create New App". Choose "Web" as the platform and "SAML 2.0" as the sign-on method. Fill in any application name, e.g. "FlexNet Manager Suite", and click on the "Next" button. Step 2 - Filling in the SAML settings Single sign on URL: https://flexnet.myorganization.com/Suite/AuthServices/Acs Recipient URL: https://flexnet.myorganization.com/Suite/AuthServices/Acs Destination URL: https://flexnet.myorganization.com/Suite/AuthServices/Acs  Audience restriction: https://flexnet.myorganization.com/Suite NameID format: Unspecified / EmailAddress Application username: Email Important   - all of the above URLs are case sensitive, and ensure there is no trailing slash or space characters in the URL. Okta - SAML settings [Optional] Step 3 - Configuring attribute statements This is an optional step. You can configure the following attributes to pass "claims" that can be understood by FlexNet Manager Suite and will be used to pre-fill operator details. First name Type: GivenName or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Last name Type: Surname or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Email: Type: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Job title Type: JobTitle Okta - attribute statements Step 4 - Providing the necessary details to your FlexNet Manager Suite administrator Once the application is created successfully in your IdP, go to the 'Sign on' tab in the SAML Application, and click on 'View Setup Instructions'. You will need to provide the following information to your FlexNet Manager Suite administrator: Identity Provider Single Sign-On URL e.g. https://xxx.oktapreview.com/app/xxx_flexnetmanagersuite_1/xxx/sso/saml Identity Provider Issuer (Entity ID) e.g. http://www.okta.com/xxx Download the X.509 Certificate (IdP public certificate) e.g. okta.cert file containing: -----BEGIN CERTIFICATE----- xxxxxx -----END CERTIFICATE----- Metadata file Copy the the metadata file contents and save it as metadata.xml.   WHAT'S NEXT To complete your SSO setup in FlexNet Manager Suite, refer to the parent article. Alternatively, continue reading this article to browse other Okta-specific configurations you might be interested in.   [Advanced] Automatically granting Administrator role to your newly created operators. This is helpful when used together with createUnknownOperator="true" setting that you can set in FlexNet Manager Suite web.config file. This can be achieved by passing either one of the attribute values below: Role attribute Type: http://schemas.microsoft.com/ws/2008/06/identity/claims/role Expected value: Administrator FnmsAdmin attribute Type: FnmsAdmin Expected value: 'true' or 'false', or use custom evaluation such as:  isMemberOfGroupName("Administrator")   [Advanced] Enabling Single Logout in Okta Prerequisites: You are using FlexNet Manager Suite On-premise offering. You have completed the Single Logout configuration in FlexNet Manager Suite, and as such have acquired the public certificate corresponding the private key FlexNet Manager Suite uses to sign outgoing SAML requests. To enable Single Logout (SLO) in Okta: Go to Okta Admin and navigate to Applications page. Click on "FlexNet Manager Suite" application. On the General tab > SAML Setting section, click on "Edit" link. Go to next step and click on "show advanced settings". Check Enable Single Logout / Allow application to initiate Single Logout checkbox. Specify the following details: Single Logout URL: https://flexnet.myorganization.com/Suite/AuthServices/Logout Signature Certificate: browse and upload the public certificate of your Service Provider (FlexNet Manager Suite) signing key. SP Issuer: issuer of the Service Provider certificate you uploaded, used by Okta for validation. Click on "Next" button and save your changes. Okta - Single Logout (SLO) settings under SAML Settings > Show Advanced Settings ... View more

Purpose of this article This articles aims to provide a practical guide to configure SSO / SAML for your FlexNet Manager Suite On-premise system. If you are using our cloud offering prior to Flexera Identity and Access Management (IAM) integration, then the contents of this article will also be relevant for you. How to configure Single Sign On (SSO) Configuring SSO is a two step process as follows. Step 1 - Identity Provider (IdP) configuration To configure SSO for a specific IdP vendor, refer to sub-articles below: Okta: refer to "Configuring SAML application in Okta" section within Okta configuration guide. Other Identity Providers: no specific guide currently available; refer to Okta guide and apply similar configuration in your IdP. Step 2 - Service Provider (SP) configuration Refer to "Configuring SAML in WebUI" section within WebUI configuration guide. THAT'S IT ABOUT CONFIGURING SSO. If everything is configured correctly, both SP-initiated and IdP-initiated Single Sign On (SSO) should work as expected. If not, see the troubleshooting guide and list of common errors.   How to configure  Single Logout (SLO) Prerequisites: This is an advanced configuration and typically not required by many organizations. You will need to acquire a public/private key pair used for signing requests from FlexNet Manager Suite (SP) to the Identity Provider (IdP). Single Logout (SLO) is currently only supported in FlexNet Manager Suite On-premise offering. Your IdP has to support Single Logout (SLO). Configuring SLO is yet another two step process as follows. Step 1 - Service Provider (SP) configuration Single Logout requires outgoing requests from SP to IdP to be signed. Refer to "Configuring outgoing requests from SP to the IdP to be signed" section within WebUI configuration guide to complete this step. Step 2 - Identity Provider (IdP) configuration To configure SLO for a specific IdP vendor, refer to sub-articles below: Okta: refer to "Enabling Single Logout in Okta" section within Okta configuration guide. Other Identity Providers: no specific guide currently available; refer to Okta guide and apply similar configuration in your IdP. THAT'S IT ABOUT CONFIGURING SLO. If everything is configured correctly, both SP-initiated and IdP-initiated Single Logout (SLO) should work as expected. If not, see the troubleshooting guide and list of common errors.   Appendix Key terminologies SAML: Security Assertion Markup Language Open standard for exchanging authentication and authorization data between Identity Provider and Service Provider through digitally signed SAML requests and responses. FlexNet Manager Suite supports SAML 2.0. IdP: Identity Provider A service that stores and verifies user identity. This will be the entity you are trusting to authenticate users to FlexNet Manager Suite. SP: Service Provider Your FlexNet Manager Suite system that will be receiving and accepting authentication from the IdP. Single Sign On (SSO) A process which allows your user to sign on once to your IdP, and in turn gain access to all applications within your organization. Single Logout (SLO) A process which allows your user to log out once from either the SP or the IdP, that will in turn logout the user from all applications. Whether you want SLO to be implemented will depend on your business use case. Many businesses chose not to implement this as they don't want logging out from the SP to trigger a global logout from the IdP and other applications within the organization. Note that SLO is supported in FlexNet Manager Suite On-premise as of today. IdP-initiated SSO / SLO This means that user starts a Single Sign On (SSO) or Single Logout (SLO) workflow from the IdP. For example if your user logs in to Okta and then select 'FlexNet Manager Suite' application, then this will be called IdP-initiated SSO. SP-initiated SSO / SLO This means that user starts a Single Sign On (SSO) or Single Logout (SLO) workflow from the SP. For example if your user hits https://myorganization.flexera.com and gets redirected to the IdP to complete to the sign on process, then this will be called SP-initiated SSO. FlexNet Manager Suite URL / SP URL: This is the URL your operators use to access FlexNet Manager Suite in their browser. For the purpose of this guide, we will assume this to be https://flexnet.myorganization.com/Suite. Anytime this URL is referenced, you will have to replace this with the actual application URL. ... View more