May 03, 2021
06:38 AM
Hi @emtmeta, did you change the Assertion Consumer Service (ACS) URL to be the actual FNMS URL for your organization, which for FNMS Cloud will be something like https://my-subdomain.flexnetmanager.com/Suite/AuthServices/Acs? The error seems to be indicating it's trying to access a placeholder URL instead i.e. https://sam.SERVER_NAME.com/Suite/AuthServices/Acs
For IdP configuration side of things, you may find the Okta configuration guide to be a helpful reference. While it won't exactly be the same, the configuration should be pretty similar.
Okta IdP configuration guide - https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/FNMS-SAML-Setup-Okta-configuration-guide-to-enable-SSO-SAML-in/ta-p/157729
If you still face issues, please post screenshots of your ADFS configuration including the ACS URL being set, tho just remember to mask any details which might be sensitive.
---
Also just noting that all the above articles I linked are sub-pages of this page we have in the community:
SSO SAML Configuration Guide - https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/Ultimate-SSO-SAML-configuration-guide-in-FlexNet-Manager-Suite/ta-p/157608
Cheers, Kent
... View more
Apr 26, 2021
06:36 AM
@emtmeta we will need to check the logs for the given Activity ID you posted above in the IdP then. Hopefully that's gonna give us an idea what's wrong and how we can fix that.
Some of the IdP errors I have encountered before (albeit for a different IdP) includes:
invalid signature / issuer does not match (common issue) - check the service provider public key configured in the IdP and whether it matches the Service Provider private key configured in the metadata that FNMS uses to sign outgoing requests to the IdP
unauthorized - does the user you log in to have permission to access FNMS app?
Can you get the logs and copy them here?
... View more
Apr 22, 2021
06:53 AM
Hi @emtmeta, can you provide more details as to how "SP-initiated (workflow) is not working"? Does it lead to an error page, for example?
If it leads to an error page: can we get the error logs related to the request and then refer to this troubleshooting page? https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/FNMS-SAML-Setup-Troubleshooting-guide-and-list-of-common-errors/ta-p/157810
If FNMS does not redirect to the IdP and instead to Flexera/AGW login page: is your intention perhaps to change the "Active Identity Providers" set in FNMS Web UI > System Settings > Security?
Cheers, kent
... View more
Nov 22, 2020
08:31 PM
2 Kudos
Azure AD SAML is a supported Identity Provider (IdP). Currently, no specific guide is available in the community for configuration on Azure side. There should be plenty of documentations available from Microsoft/other online sources for this.
As to the values you need to provide in Azure (Entity ID, Sign-on URL, etc.) - the Okta configuration guide, while it's written for a different IdP, will be a helpful reference document to provide to the team/person responsible for setting up SAML application in your Azure environment. You will then be able to download the metadata file from Azure.
Once you have the metadata file - to configure SAML in FlexNet Manager Suite Cloud, simply upload your metadata file via Web UI > System Settings > Security page. For more comprehensive guide or for on-premise guide see WebUI configuration guide OR the parent page you referred:
https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/Ultimate-SSO-SAML-configuration-guide-in-FlexNet-Manager-Suite/ta-p/157608
--
If you come across any issue, feel free to let me know here and I will be happy to help.
Cheers, Kent
... View more
Oct 16, 2020
12:41 PM
@aprabha setting up NAT to bridge communication from local network to public internet may be a possible alternative if you want to continue receiving ARL catalog update automatically.
... View more
Oct 05, 2020
02:42 AM
Hi @emtmeta,
I can't say for certain but I remember seeing similar configuration for 'returnUrl' i.e. without /AuthServices. That should be completely fine as long as authentication flow works as expected for both IdP and SP initiated SSO.
Cheers, Kent
... View more
Sep 28, 2020
05:08 AM
Hi @emtmeta,
What SSO/recipient/destination URLs do you have configured in Okta? From what it sounds, there might be an issue with the redirect URL configured in Okta.
For Okta configuration guide, see https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/FNMS-SAML-Setup-Okta-configuration-guide-to-enable-SSO-SAML-in/ta-p/157729
For WebUI side of the configuration, see https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/FNMS-SAML-Setup-WebUI-configuration-guide-to-enable-SSO-SAML-in/ta-p/157804
Also, is the behavior you are describing consistent across different browsers and devices?
Cheers, Kent
... View more
Sep 02, 2020
05:20 AM
1 Kudo
Hi @bnikol,
It seems that this question was missed for so long, sorry about that!
Would you consider this question to have been answered/solved as part of your other question about SQL active/passive cluster?
Cheers, Kent
... View more
Aug 24, 2020
11:29 PM
2 Kudos
If the cost centers and corporate units you want to delete are within the same parent, you can simply delete the parent entity and it will cascade delete all children entities. So for example if you have the following cost centers:
Cost centers
Flexera
Engineering / IT
Engineering
IT
Sales
Deleting "Engineering / IT" will cascade delete "Engineering" and "IT' cost centers.
However if the cost centers / corporate units that you'd like to delete are not within such defined structure and the number of entities to delete are massive such that it doesn't make sense to manually delete them one by one, you can raise a support ticket to Flexera to request data deletion.
Cheers, Kent
... View more
Re: What is the best way to find memory leaks in JaveScript?

Aug 24, 2020
02:31 PM
Aug 24, 2020
02:31 PM
Hi @Rebecca942,
It looks like you posted your question in the wrong place. This community is intended to discuss topics about Flexera products. You may want to post your question in more relevant forums such as StackOverflow.
Well, good luck with your project and don't forget to dispose your unused objects!
Cheers, Kent
... View more
Re: What is the best way to find memory leaks in JaveScript?

Aug 24, 2020
04:43 AM
Aug 24, 2020
04:43 AM
Hi @Rebecca942,
To be able to help you here, I will need more detailed information on the issue you are facing. Is your browser consuming a lot of memory when opening FlexNet Manager Suite webpage? If so, can you provide details on the view/page affected, browsers used, memory consumption, and other resources/screenshots which you think might be relevant.
Cheers, Kent
... View more
Aug 24, 2020
04:31 AM
1 Kudo
Hi @estefany_gomez,
I assume you are referring to the public management view in FNMS and how to customize the widgets displayed there, and that your organization is using FNMS Cloud. Are my assumptions correct?
In FNMS Cloud UAT environment, currently on 2020 R1.1 version, I can see a new feature to manage dashboard widgets; see attached screenshot. AFAIK this should be available in next monthly release for production environment, which I can see is scheduled for 03 September 2020 (AEST). Will the addition of this feature help to answer your question?
Let me know if that's not the case or you'd like to discuss anything else.
Cheers, Kent
... View more
Aug 07, 2020
03:00 AM
5 Kudos
This article is a part of a wider topic, see parent page.
Checking the error logs
If you are using FlexNet Manager Suite Cloud, you will need to provide the Error ID to Support.
If you are using FlexNet Manager Suite On-premise offering, you can enable debug-level logging and analyze the error logs yourself.
To enable debug-level logging:
Modify the log level for the following items to "DEBUG" in %programdata%\Flexera Software\Compliance\Logging\WebUI.config file.
Kentor.AuthServices (default: "WARN")
Root (default: "INFO")
Restart IIS.
Perform the same action which led to the error you encountered before (it will now emit debug-level logging).
Accessing the logs:
The WebUI log is accessible in %programdata%\Flexera Software\Compliance\Logging\WebUI\webui.log file.
Notice that most authentication-related errors with SAML begin with generic error message. The actual error log which is valuable is found in the end of line. For example,
ManageSoft.Compliance.Security.Sso.SamlCoreException: There is problem while authenticating via SAML. Please make sure (a) that the web.config element 'kentor.authServices' is correctly configured, and (b) that the web server can connect to the configured SAML identity provider (if automatic metadata download is enabled). ---> System.Configuration.ConfigurationErrorsException: Unexpected entity id "https://sts.windows.net/xxx/" found when loading metadata for "https://sts.windows.net/yyy/".
at Kentor.AuthServices.IdentityProvider.ReadMetadata(ExtendedEntityDescriptor metadata)
at Kentor.AuthServices.IdentityProvider.DoLoadMetadata()
In the above log, the error log you will be interested to analyze will be:
System.Configuration.ConfigurationErrorsException: Unexpected entity id "https://sts.windows.net/xxx/" found when loading metadata for "https://sts.windows.net/xxx/"
at ...
Common errors and possible resolutions
#1 - Operator not being assigned to any role
Note that this is expected in most cases and not an actual SAML configuration issue. In fact you probably got things working if this is the only error you notice in the log file.
Example log:
User hello@flexera.com has no access rights in tenant
Resolution:
Ask your FlexNet Manager Suite administrator to assign you to a role via the Web UI.
If you are the administrator, either assign yourself to Administrator role via the database, or ensure you pass 'FnmsAdmin' claim set to 'true' for only yourself (and not other users/operators who are not meant to be granted administrator role upon first sign on). If you prefer to do this via database, you can run the following command:
EXEC dbo.GrantOperatorFullAccess 'hello@flexera.com'
#2 - AudienceRestrictionCondition is not valid
Example log:
System.IdentityModel.Tokens.AudienceUriValidationFailedException: ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris
Resolution:
Check that the Audience URL configured in the IdP match your FlexNet Manager Suite URL (e.g. https://flexnet.myorganization.com/Suite) or the return URL. Keep in mind that there typically should not be any trailing slash and the URL is case-sensitive. Don't forget to check 'http' vs 'https'.
#3 - Invalid service certificates / null reference exception
Example log:
System.NullReferenceException: Object reference not set to an instance of an object.
at Kentor.AuthServices.Configuration.ServiceCertificateCollection.InsertItem(Int32 index, ServiceCertificate item)
at Kentor.AuthServices.Configuration.ServiceCertificateElementCollection.RegisterServiceCertificates(SPOptions options)
Resolution:
In your web.config within kentor.authServices section remove or comment out service certificates with invalid fileName reference, i.e.
<serviceCertificates>
<!-- Remove or comment the following: -->
<!-- <add fileName="" /> -->
</serviceCertificates>
#4 - No IdP with Entity ID xxx found / unexpected Entity ID found
Example log:
System.Collections.Generic.KeyNotFoundException: No Idp with entity id "..." found. ---> System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
at System.ThrowHelper.ThrowKeyNotFoundException()
OR
System.Configuration.ConfigurationErrorsException: Unexpected entity id "urn:internal:federation:xxx" found when loading metadata for "urn:federation:xxx"
Resolution:
The EntityID you configured in <identityProviders> section in your web.config is not correct.
Inspect the SAML response sent by the IdP to see the Entity ID included in the SAML response. Make sure this match what's set in web.config.
Also verify that the Entity ID set in the IdP is correct and is a valid URL. It does not have to point to an actual location on the web i.e. Entity ID should be http://okta.com/xxx instead of OKTA_XXX.
Remember that Entity ID in the parent <kentor.authServices> is different from the Entity ID in <identityProviders> section. In typical setup the former will simply be your FlexNet Manager Suite URL, and the latter will be the Entity ID supplied by your IdP (e.g. http://www.okta.com/xxx).
#5 - Failed signature validation
Example log:
Kentor.AuthServices.Exceptions.InvalidSignatureException: Message from https://okta.com/xxx failed signature verification
Resolution:
Verify that the public certificate you configured in SP via <signingCertificate> section matches the private key of your IdP.
Verify that the private certificate you configured in SP via <serviceCertificates> section matches the public key you supplied to your IdP.
#6 - Signature didn't verify or contents tampered
Example log:
Kentor.AuthServices.Exceptions.InvalidSignatureException: Signature didn't verify. Have the contents been tampered with?
at Kentor.AuthServices.XmlHelpers.VerifySignature(IEnumerable`1 signingKeys, SignedXml signedXml, XmlElement signatureElement, Boolean validateCertificate)
at Kentor.AuthServices.XmlHelpers.IsSignedByAny(XmlElement xmlElement, IEnumerable`1 signingKeys, Boolean validateCertificate, String minimumSigningAlgorithm)
at Kentor.AuthServices.Saml2P.Saml2Response.ValidateSignature(IOptions options)
Resolution:
Verify that the public certificate you configured in SP via <signingCertificate> section matches the private key of your IdP.
Ensure there is no extra spacing/formatting/invisible characters in the public certificate you provided, or in the SAML responses being received by your IdP.
#7 - The signature verified correctly but that key is not trusted
Example log:
Kentor.AuthServices.Exceptions.InvalidSignatureException: The signature verified correctly with the key contained in the signature, but that key is not trusted.
Resolution:
Verify that the public key provided by your IdP team i.e. the one you configured within <signingCertificate> section in web.config.
If the metadata contains the same public key, does it have different contents from the one you configured within <signingCertificate> section in web.config?
Talk to your IdP team whether the certificate they provided is correct for the SP you are configuring. There are cases where your IdP team may have different environments (e.g. staging.myidp.com and prod.myidp.com). If that is the case, did you IdP team provide you public key for the correct environment?
#8 - Signed AuthenticateRequests expected but no service certificates are configured
Example log:
System.Configuration.ConfigurationErrorsException: Idp "http://www.okta.com/xxx" is configured for signed AuthenticateRequests, but ServiceCertificates configuration contains no certificate with usage "Signing" or "Both". To resolve this issue you can a) add a service certificate with usage "Signing" or "Both" (default if not specified is "Both") or b) Set the AuthenticateRequestSigningBehavior configuration property to "Never".
Resolution:
In typical setup, you can set AuthenticateRequestSigningBehavior to "Never" in web.config file.
In advanced setup if you prefer to set up service certificates (required for SLO/assertion encryption), then ensure you set AuthenticateRequestSigningBehavior to "Always" and specify a valid certificate within <serviceCertificates> section.
#9 - Unable to load certificate file
Example log:
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._QueryCertFileType(String fileName)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
Resolution:
This error indicates that certificate you specified either in <signingCertificate> or <serviceCertificates> cannot be found. Double check the certificate path you specified (either via file path or reference to Certificate Store path).
#10 - A unique match to certificate path is required
Example log:
System.InvalidOperationException: Finding cert through FindBySubjectName in LocalMachine:My with value flexnet.myorganization.com matched 2 certificates. A unique match is required.
Resolution:
Modify the store certificate path in web.config to use different find mechanism that will result in one certificate being found. For example, you can change findType to FindByThumbprint , FindBySerialNumber, etc.
Use another certificate with unique subject name.
Proceed with caution: delete the duplicate certificates which are not relevant from the Certificate Store.
#11 - Cannot verify signature of message from unknown sender
Example log:
Kentor.AuthServices.Exceptions.InvalidSignatureException: Cannot verify signature of message from unknown sender https://localhost:44300/Metadata
Resolution:
Verify the Entity ID set in <identityProviders> section in web.config and that it matches the Entity ID supplied by your IdP (or in the SAML response).
#12 - IdP returns status AuthnFailed
Example log:
Kentor.AuthServices.Exceptions.UnsuccessfulSamlOperationException: Idp returned status "AuthnFailed", indicating that the single logout failed. The local session has been successfully terminated.
Resolution:
This means that your IdP is unable to authenticate you, which can be caused by various reasons. Talk to your IdP team or IdP vendor to get the relevant logs. In Okta, you can view the logs by going to Okta admin page (classic UI) > FlexNet Manager Suite On-premise > View logs.
Some possible logs might be:
Malformed request: check the SAML request sent to the IdP (refer to how you can inspect SAML requests/responses exchanged section).
Issuer does not match: the certificate issuer you configured in <serviceCertificates> section may no match the issuer you configured in the IdP.
Invalid signature: the IdP is not able to verify the signature of your signed SAML requests and you should check the private certificate you configured in <serviceCertificates> section in web.config and compare it to the corresponding public key you uploaded/provided to your IdP.
Unauthorized: check the user permission in the IdP and whether the user is correctly assigned to the SAML application, the user is not suspended, etc.
#13 - Invalid provider type specified
Example log:
System.Security.Cryptography.CryptographicException: Invalid provider type specified.
Resolution:
If you generated a self-signed certificate and/or you are configuring <serviceCertificates> section, it might be a problem with the certificate not being generated using the correct API. For example if you used PowerShell's New-SelfSignedCertificate command, you may need to specify -KeySpec KeyExchange when generating the self signed certificate.
#14 - Received message contains unexpected InResponseTo
Example log:
Kentor.AuthServices.Exceptions.UnexpectedInResponseToException: Received message contains unexpected InResponseTo "id58c95ac8acce4ccd85826688510f5129". No cookie preserving state from the request was found so the message was not expected to have an InResponseTo attribute. This error typically occurs if the cookie set when doing SP-initiated sign on have been lost.
Resolution:
Ensure cookie is enabled in the browser.
Clear all cookies from your browser (or try in browser private/incognito mode).
If you have a load balancing farm you need to synchronize machine key as otherwise one server won't be able to encrypt cookies set by another server.
#15 - Unable to connect to remote server / operation time out when loading Metadata URL
Example log:
Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:44300
...
at System.Net.WebClient.OpenRead(Uri address)
at Kentor.AuthServices.Metadata.MetadataLoader.Load(String metadataLocation)
OR
System.Net.WebException: The operation has timed out
at System.Net.WebClient.OpenRead(Uri address)
at Kentor.AuthServices.Metadata.MetadataLoader.Load(String metadataLocation)
Resolution:
This likely happens when you set metadataLocation as metadata URL in web.config.
Ensure your SP can download the specified metadata URL i.e. try hitting the metadata URL manually from a browser sitting in FlexNet Manager Suite server.
#16 - SAML operation cannot be processed because it is not signed
Example log:
Kentor.AuthServices.Exceptions.UnsuccessfulSamlOperationException: Received a LogoutResponse from http://localhost:44300/8a9c3d9f-3228-4d96-9c69-00000000/Metadata that cannot be processed because it is not signed.
Resolution:
Some SAML operations such as SLO require signed requests to be sent. For example, your SP cannot trust an IdP-initiated SLO if the saml2p;LogoutRequest sent by the IdP is not signed. To resolve this, talk to your IdP team and ensure such requests are signed so the SP can trust it.
#17 - No Saml2 Response found
Example log:
Kentor.AuthServices.Exceptions.NoSamlResponseFoundException: No Saml2 Response found in the http request.
at Kentor.AuthServices.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options)
Resolution:
Verify the Assertion Consumer Service (ACS) URL set, which should be https://myorganization.flexera.com/Suite/AuthServices/Acs.
#18 - Invalid account: please enter a valid email address (FlexNet Manager Suite Cloud)
Example log:
ManageSoft.Compliance.Security.Sso.SamlCoreException: Invalid account: please enter a valid email address.
at Flexera.Web.Presentation.Security.SingleSignOnTenantSaml.ValidateIdentityUsername(String username)
Resolution:
Inspect the Name ID supplied in the SAML response (or if you set a custom authenticationLogin value in web.config e.g. "OperatorLogin", then inspect the "OperatorLogin" attribute value supplied in the SAML response).
The Name ID / operator identifier have to be a valid email address.
#19 - The SAML Response is not signed and contains unsigned Assertions
Example log:
Kentor.AuthServices.Exceptions.Saml2ResponseFailedValidationException: The SAML Response is not signed and contains unsigned Assertions. Response cannot be trusted.
at Kentor.AuthServices.Saml2P.Saml2Response.ValidateSignature(IOptions options)
Resolution:
Inspect the SAML response returned by your IdP is signed.
Alternatively, set WantAuthnRequestsSigned to "false" in your metadata file, similar to below:
<EntityDescriptor entityID="..." ...>
<IDPSSODescriptor WantAuthnRequestsSigned="false" ...>.../IDPSSODescriptor>
</EntityDescriptor>
#20 - SP timeout / SessionNotOnOrAfter value is out of range
Example log:
System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values.
Parameter name: validFrom
at System.IdentityModel.Tokens.SessionSecurityToken..ctor(ClaimsPrincipal claimsPrincipal, UniqueId contextId, String id, String context, Byte[] key, String endpointId, Nullable`1 validFrom, Nullable`1 validTo, UniqueId keyGeneration, Nullable`1 keyEffectiveTime, Nullable`1 keyExpirationTime, SctAuthorizationPolicy sctAuthorizationPolicy, Uri securityContextSecurityTokenWrapperSecureConversationVersion)
at System.IdentityModel.Tokens.SessionSecurityToken..ctor(ClaimsPrincipal claimsPrincipal, UniqueId contextId, String context, String endpointId, Nullable`1 validFrom, Nullable`1 validTo, SymmetricSecurityKey key)
at System.IdentityModel.Tokens.SessionSecurityToken..ctor(ClaimsPrincipal claimsPrincipal, String context, Nullable`1 validFrom, Nullable`1 validTo)
at Kentor.AuthServices.HttpModule.CommandResultHttpExtension.SignInOrOutSessionAuthenticationModule(CommandResult commandResult)
Root cause:
First, inspect the SAML response whether SessionNotOnOrAfter attribute is provided (which is the attribute which controls the SP session lifetime, before it has to re-authenticate with the IdP):
If not, it will be defaulted to UTC current date + timeout value configured. The timeout value configured will the be the default session lifetime configured in FlexNet Manager Suite/IIS, or alternatively from 2020 R1 onward, the default timeout will be retrieved from 'LoginTimeoutMinutes' value in compliance tenant setting.
If the value calculated from previous step is of earlier date/time than current UTC date, then this error will be thrown
Resolution:
Ensure SessionNotOnOrAfter provided is in UTC time and is not earlier than current UTC time.
Applicable to 2020 R1 onward: ensure 'LoginTimeoutMinutes' set in database is not a negative value.
#21 - Provided certificate is not valid because it does not contain a private key
This means that the certificate you configured in <serviceCertificates> section in web.config does not contain a private key to sign outgoing SAML requests from SP to the IdP.
Resolution:
If you specified a store reference path, make sure you don't add it in CA where private key can't be stored.
Inspecting the SAML requests and responses exchanged
In your browser, from example in Chrome, you can open the Developer Tools and open the Networks tab while trying to log in via SAML. You may need to check 'Preserve Log' option. Once you have done this, when performing SSO via SAML, you will be able to see all the HTTP requests happening behind the scenes. These HTTP requests will contain the SAML requests and responses exchanged between the Idp and SP.
To make things simpler - you can use any SAML message decoder plugin of your choice to easily inspect the SAML requests/responses exchanged.
Some ideas on what you can inspect:
If you get an error relating to Name ID being of unexpected format, inspect the Name ID in the SAML response.
If you are wondering why operator details are not populated correctly (refer to attributes supported), inspect the attribute in the SAML response.
etc.
Sample SAML request: Sample SAML request
Sample SAML response Some information you may be interested in are highlighted in yellow
Sample SAML response
Using StubIdP for testing purpose
Heads up:
Never configure your FlexNet Manager Suite production environment with StubIdp.
It is highly recommended to disable network access to the FlexNet Manager Suite system in such a way that only you can access the system.
Ignoring the above warnings can lead to people gaining unauthorized access to your system - as you will be using StubIdP (essentially a mock/fake IdP which allows you to impersonate any identity without needing any credentials).
If you are a FlexNet Manager Suite administrator and wants to test run the configuration prior to engaging with your IdP team, or you have been in back-and-forth discussions with your IdP team and the configuration just doesn't seem right, then using StubIdp might be the right choice for you.
Go to https://stubidp.sustainsys.com/
Create your own tenant by going to StubIdp homepage > click on "create your own IdP tenant". You will need to do this on your own and in turn you will get a unique URL similar to https://stubidp.sustainsys.com/1506e6c0-d2b0-49e8-919a-00000000000. Replace any reference to this URL with your own in the proceeding steps.
Fill in the following details to automatically pre-fill Assertion Consumer Service URL, Audience URL, predefined users, and Attribute Statements:
{
"HideDetails": false,
"UserList": [
{
"DisplayName": "Admin User",
"Description": "A user who will be granted Administrator rights upon first login",
"Assertion": {
"NameId": "admin@myorganization.com",
"AttributeStatements": [
{
"Type": "FnmsAdmin",
"Value": "true"
}
]
}
}
],
"DefaultAssertionConsumerServiceUrl": "https://myorganization.flexera.com/Suite/AuthServices/Acs",
"DefaultAudience": "https://myorganization.flexera.com/Suite",
"IdpDescription": "FlexNet StubIdP - testing only"
}
The above snippet includes what you should put for the Assertion Consumer Service URL, Audience URL, etc. Alternatively, refer to the parent article for specific IdP configuration guides.
You can download the metadata file from https://stubidp.sustainsys.com/1506e6c0-d2b0-49e8-919a-00000000000/Metadata and rename it to metadata.xml.
You can download the IdP public certificate from https://stubidp.sustainsys.com/1506e6c0-d2b0-49e8-919a-00000000000/Certificate.
In your web.config, refer to previous section about supplying metadata and other relevant information in your FlexNet Manager Suite system. In web.config, you will essentially have something similar to:
<kentor.authServices entityId="https://flexnet.myorganization.com/Suite" returnUrl="https://flexnet.myorganization.com/Suite/AuthServices" authenticateRequestSigningBehavior="Never">
<identityProviders>
<add entityId="https://stubidp.sustainsys.com/1506e6c0-d2b0-49e8-919a-00000000000/Metadata" signOnUrl="https://stubidp.sustainsys.com/1506e6c0-d2b0-49e8-919a-00000000000" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" loadMetadata="true" metadataLocation="~/App_Data/metadata.xml">
<signingCertificate fileName="~/App_Data/stubidp.sustainsys.com.cer" />
</add>
</identityProviders>
<serviceCertificates>
<!-- Not needed in typical setup unless you want to configure SLO. -->
<!--<add storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" findValue="flexnet.myorganization.com" use="Signing" />-->
</serviceCertificates>
</kentor.authServices>
When you hit FlexNet Manager Suite URL, you will be redirected to StubIdP where you can choose to impersonate any user. If you use the predefined values above, you should see "Admin User" in the dropdown. Select any user and hit on the 'Login' button.
If that works successfully, you can be sure that you have configured SAML successfully in FNMS, and can provide the relevant values below for your IdP team to create the actual SAML application you will be using in your production environment:
Assertion Consumer Service URL
Audience URL
The expected Name ID value (typically email address)
Optionally any attribute statements they should pass along the FlexNet Manager Suite
Have them provide the IdP X.509 public certificate so you can configure them in the signingCertificate section in web.config file above
etc.
... View more
Aug 07, 2020
12:49 AM
2 Kudos
This article is a part of a wider topic, see parent page.
Configuring SAML in WebUI (Cloud)
Prerequisites:
You have the following information which you acquired from your IdP:
Metadata.xml file or metadata URL
IdP X.509 public key certificate (optional) must be included as part of the metadata (not separate file)
To configure SAML in FlexNet Manager Suite Cloud, simply upload your metadata file or URL via Web UI > System Settings > Security page.
THAT'S IT ABOUT CONFIGURING SSO/SAML FOR CLOUD.
If everything is configured correctly, both SP-initiated and IdP-initiated Single Sign On (SSO) should work as expected. If not, see the troubleshooting guide and list of common errors .
Configuring SAML in WebUI (On-premise)
Prerequisites:
You have the following information which you acquired from your IdP (On-premise):
Metadata.xml file or metadata URL
IdP X.509 public key certificate
Entity ID and SSO URL
Step 1 - Backup your web.config file
Located in %installdirectory%\FlexNet Manager Platform\WebUI\web.config
Step 2 - Disabling Windows Authentication and enabling Forms and Anonymous Authentication
Go to IIS Manager in your FlexNet Manager Suite server.
Go to Default Web Site > Suite > Authentication
Disable Windows Authentication
Enable Forms Authentication and Anonymous Authentication
Repeat the above steps for SAPOptimization and ECMBusinessPortal sub applications within the Default Web Site.
Step 3 - Copying the metadata file and IdP public key (signing certificate)
If you prefer to use metadata URL and the IdP X.509 public certificate file is already included in your metadata, ignore this step.
Create "App_Data" directory in %installdirectory%\FlexNet Manager Platform\WebUI\App_Data
Copy metadata.xml file to the App_Data directory (unless you prefer to use metadata URL).
Copy IdP X.509 public certificate file to the App_Data directory (unless the public certificate is already included in the metadata).
Step 4 - Changing authentication type to SAML in the web.config
In your web.config file, locate the following within <flexera.web> element and change authenticationType from "Windows" to "Saml".
<signOn authenticationType="Windows" authenticationLogin="" createUnknownOperator="true" ... ></signOn>
Step 5 - Configuring Kentor.AuthServices section in the web.config
In your web.config file, locate the <Kentor.AuthServices> element and replace it with:
<kentor.authServices entityId="https://flexnet.myorganization.com/Suite" returnUrl="https://flexnet.myorganization.com/Suite/AuthServices" authenticateRequestSigningBehavior="Never">
<identityProviders>
<add entityId="REPLACE_WITH_ENTITY_ID" signOnUrl="REPLACE_WITH_SSO_URL" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" loadMetadata="true" metadataLocation="~/App_Data/metadata.xml">
<signingCertificate fileName="~/App_Data/okta.cert" />
</add>
</identityProviders>
<serviceCertificates></serviceCertificates>
</kentor.authServices>
In the identityProviders section, fill in the following values:
Replace entityId and signOnUrl with the values you received from your IdP.
If you prefer to use metadata URL, replace metadata location with the metadata URL (e.g. https://myidp.com/fnmssamlapp/metadata). If specified via file, ensure the path to metadata.xml file is correct.
If IdP X.509 public certificate is already included in your metadata, completely remove the signingCertificate element. If specified via file, ensure the path to the public certificate file is correct.
THAT'S IT ABOUT CONFIGURING SSO/SAML FOR ON-PREMISE.
If everything is configured correctly, both SP-initiated and IdP-initiated Single Sign On (SSO) should work as expected. If not, see the troubleshooting guide and list of common errors .
Configuring SAML in WebUI (Partner)
Prerequisites:
You have the following information which you acquired from your IdP:
Metadata.xml file or metadata URL
IdP X.509 public key certificate (optional) must be included as part of the metadata (not separate file)
To configure SAML in FlexNet Manager Suite Partner/Multi-Tenant system, you can either:
Log on to the tenant you want to configure SAML for, and upload your metadata file or URL via Web UI > System Settings > Security page; while being logged on to the desired tenant.
Alternatively in FlexNet Manager Suite server, navigate to %installdirectory%\DotNet\bin and execute either one of the commands below.
# If you prefer to use metadata file:
.\ConfigureSystem.exe apply-saml-configuration --metadata-file=<PATH> --state=<SamlPilotAgw> --tenantuid=xxx
# If you prefer to use metadata URL:
.\ConfigureSystem.exe apply-saml-configuration --metadata-url=<URL> --state=<SamlPilotAgw> --tenantuid=xxx
# Optional: if needed, see helptext and other supported operations
.\ConfigureSystem.exe help apply-saml-configuration
.\ConfigureSystem.exe help clear-saml-configuration
.\ConfigureSystem.exe help export-saml-configuration
Ensure correct TenantUID is passed. Also note that following "state" values are supported in the command line argument above:
AgwOnly: only allow operators to sign on via AGW; SAML disabled / AGW enabled
SamlPilotAgw: allow operators to perform IdP-initiated SSO, while keeping the default sign on provider as AGW; both SAML and AGW enabled
SamlAgw: allow operators to perform IdP and SP-initiated SSO with default sign on provider as SAML; both SAML and AGW enabled
SamlOnly: allow operators to perform IdP and SP-initiated SSO with default sign on provider as SAML; SAML enabled / AGW disabled
After running ConfigureSystem.exe, you will need to restart IIS for the changes to take effect.
THAT'S IT ABOUT CONFIGURING SSO/SAML FOR PARTNER/MULTI-TENANT SYSTEM.
If everything is configured correctly, both SP-initiated and IdP-initiated Single Sign On (SSO) should work as expected. If not, see the troubleshooting guide and list of common errors .
Other WebUI configurations
Configuring SP default timeout in FlexNet Manager Suite
Supported: FlexNet Manager Suite On-premise 2020 R1+
This is to configure the default timeout to determine how long FlexNet Manager Suite should keep local session before attempting to re-authenticate with the IdP.
As per specification, SAML supports IdP-provided value for the SP timeout by specifying <sessionNotOnOrAfter> attribute within the SAML response sent from the IdP to SP. However, that is an optional specification and not all IdPs may support sending this value.
As alternative, you can configure default timeout value in FlexNet Manager Suite by:
Cloud
Specify the default timeout value in Web UI > System Settings > Security page.
On-premise
Specify the value via a database setting by executing the following SQL in your Compliance database:
DECLARE @TimeoutInMinutes INT = 60 -- 60 minutes
DECLARE @SettingNameID INT = (SELECT SettingNameID FROM dbo.SettingName WHERE [Name] = 'LoginTimeoutMinutes')
EXEC ComplianceTenantSettingPutBySettingNameID @SettingNameID, @TimeoutInMinutes
Automatically creating unknown operators
This setting is defaulted to true. To simplify creation of new operators in FlexNet Manager Suite, you can specify the following settings in your web.config file, located within %installdirectory%\FlexNet Manager Platform\WebUI directory.
When the setting is set to true, a new operator will automatically be created in FlexNet Manager Suite upon first successful SSO. However on its own, this setting will not automatically grant any role to the operator. As such, the operator will see a "No role" page and will require FlexNet Manager Suite administrator to grant an explicit role to that operator.
To change this behavior, specify either "true" or "false" in the "createUnknownOperator" value below.
<signOn authenticationType="Saml" authenticationLogin="" createUnknownOperator="true" ... ></signOn>
Using custom attribute in place of Name ID attribute
This is typically not required for standard setup. It is recommended to leave "authenticationLogin" value empty.
The Name ID attribute (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier) is typically sent by your IdP and used by FlexNet Manager Suite to uniquely identify an operator login identity. This value can be john.doe@flexera.com, for example.
However if you have a special use case where you want a different attribute (not Name ID attribute) to be used as the operator identifier, you will need to specify the custom attribute name/type in the "authenticationLogin" value below.
<signOn authenticationType="Saml" authenticationLogin="OperatorLogin" createUnknownOperator="true" ... ></signOn>
In the example above, FlexNet Manager Suite will expect the "OperatorLogin" attribute to exist in the SAML response sent by the IdP, and will use this value to uniquely identify an operator login identity.
Configuring outgoing requests from SP to the IdP to be signed
This is typically not required for standard setup.
Certain SAML operations such as Single Logout (SLO) requires outgoing requests from SP to the IdP to be signed. For example when triggering an SP-initiated SLO, the IdP needs to trust that the saml2p:LogoutRequest payload indeed comes from FlexNet Manager Suite, before logging out the user from the IdP and all other non-Flexera applications which support SLO.
To sign outgoing SAML requests, you first need to acquire a public/private key pair to be used for signing purpose. Talk to your IT/Security expert who can help you with this. It is your responsibility to keep the said private key secure.
Once you have the private key file, import it into the certificate store in your FlexNet Manager Suite server. And then go to your web.config file, locate the <kentor.authServices> element, and set the authenticateRequestSigningBehavior from "Never" to "Always", which indicates we want outgoing requests from SP to the IdP to be signed.
You will then need to supply the path to the private key in Windows certificate store within the <serviceCertificates> element, i.e.
<kentor.authServices entityId="https://flexnet.myorganization.com/Suite" returnUrl="https://flexnet.myorganization.com/Suite/AuthServices" authenticateRequestSigningBehavior="Always">
<identityProviders>
<add entityId="REPLACE_WITH_ENTITY_ID" signOnUrl="REPLACE_WITH_SSO_URL" allowUnsolicitedAuthnResponse="true" binding="HttpRedirect" loadMetadata="true" metadataLocation="~/App_Data/metadata.xml">
<signingCertificate fileName="~/App_Data/okta.cert" />
</add>
</identityProviders>
<serviceCertificates>
<add storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectName" findValue="sso.flexnet.myorganization.com" use="Signing" />
</serviceCertificates>
</kentor.authServices>
In the above example, the key to be used for signing will be located from Certificate Store (Local Machine) > Personal > Certificates > a certificate matching subject name: "sso.flexnet.myorganization.com". Note that the criteria here has to match exactly one certificate.
Alternatively, you can configure these attributes differently to locate the signing certificate; refer to the external documentation below:
storeName: https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.storename?view=netframework-4.5
storeLocation: https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.storelocation?view=netframework-4.5
x509FindType: https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509findtype?view=netframework-4.5
findValue: specify the certificate subject, thumbprint, etc. depending on the x509FindType you decide to use.
... View more
Aug 06, 2020
11:03 AM
2 Kudos
This article is a part of a wider topic, see parent page.
Configuring SAML application in Okta
Step 1 - Creating the SAML application
Go to Okta Admin and navigate to Applications page.
Click on "Add Application" button and then click on "Create New App".
Choose "Web" as the platform and "SAML 2.0" as the sign-on method.
Fill in any application name, e.g. "FlexNet Manager Suite", and click on the "Next" button.
Step 2 - Filling in the SAML settings
Single sign on URL: https://flexnet.myorganization.com/Suite/AuthServices/Acs
Recipient URL: https://flexnet.myorganization.com/Suite/AuthServices/Acs
Destination URL: https://flexnet.myorganization.com/Suite/AuthServices/Acs
Audience restriction: https://flexnet.myorganization.com/Suite
NameID format: Unspecified / EmailAddress
Application username: Email
Important - all of the above URLs are case sensitive, and ensure there is no trailing slash or space characters in the URL.
Okta - SAML settings
[Optional] Step 3 - Configuring attribute statements
This is an optional step. You can configure the following attributes to pass "claims" that can be understood by FlexNet Manager Suite and will be used to pre-fill operator details.
First name Type: GivenName or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Last name Type: Surname or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Email: Type: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Job title Type: JobTitle
Okta - attribute statements
Step 4 - Providing the necessary details to your FlexNet Manager Suite administrator
Once the application is created successfully in your IdP, go to the 'Sign on' tab in the SAML Application, and click on 'View Setup Instructions'.
You will need to provide the following information to your FlexNet Manager Suite administrator:
Identity Provider Single Sign-On URL e.g. https://xxx.oktapreview.com/app/xxx_flexnetmanagersuite_1/xxx/sso/saml
Identity Provider Issuer (Entity ID) e.g. http://www.okta.com/xxx
Download the X.509 Certificate (IdP public certificate) e.g. okta.cert file containing: -----BEGIN CERTIFICATE----- xxxxxx -----END CERTIFICATE-----
Metadata file Copy the the metadata file contents and save it as metadata.xml.
WHAT'S NEXT
To complete your SSO setup in FlexNet Manager Suite, refer to the parent article.
Alternatively, continue reading this article to browse other Okta-specific configurations you might be interested in.
[Advanced] Automatically granting Administrator role to your newly created operators.
This is helpful when used together with createUnknownOperator="true" setting that you can set in FlexNet Manager Suite web.config file. This can be achieved by passing either one of the attribute values below:
Role attribute Type: http://schemas.microsoft.com/ws/2008/06/identity/claims/role Expected value: Administrator
FnmsAdmin attribute Type: FnmsAdmin Expected value: 'true' or 'false', or use custom evaluation such as: isMemberOfGroupName("Administrator")
[Advanced] Enabling Single Logout in Okta
Prerequisites:
You are using FlexNet Manager Suite On-premise offering.
You have completed the Single Logout configuration in FlexNet Manager Suite, and as such have acquired the public certificate corresponding the private key FlexNet Manager Suite uses to sign outgoing SAML requests.
To enable Single Logout (SLO) in Okta:
Go to Okta Admin and navigate to Applications page.
Click on "FlexNet Manager Suite" application.
On the General tab > SAML Setting section, click on "Edit" link.
Go to next step and click on "show advanced settings".
Check Enable Single Logout / Allow application to initiate Single Logout checkbox.
Specify the following details:
Single Logout URL: https://flexnet.myorganization.com/Suite/AuthServices/Logout
Signature Certificate: browse and upload the public certificate of your Service Provider (FlexNet Manager Suite) signing key.
SP Issuer: issuer of the Service Provider certificate you uploaded, used by Okta for validation.
Click on "Next" button and save your changes.
Okta - Single Logout (SLO) settings under SAML Settings > Show Advanced Settings
... View more
Latest posts by kent-au
Subject | Views | Posted |
---|---|---|
4411 | May 03, 2021 06:38 AM | |
4479 | Apr 26, 2021 06:36 AM | |
4520 | Apr 22, 2021 06:53 AM | |
894 | Nov 22, 2020 08:31 PM | |
1404 | Oct 16, 2020 12:41 PM | |
7488 | Oct 05, 2020 02:42 AM | |
7599 | Sep 28, 2020 05:08 AM | |
1297 | Sep 02, 2020 05:20 AM | |
837 | Aug 24, 2020 11:29 PM | |
Re: What is the best way to find memory leaks in JaveScript? | 45 | Aug 24, 2020 02:31 PM |
Activity Feed
- Posted Re: 403 error when using SAML authentication through ADFS on FlexNet Manager Knowledge Base. May 03, 2021 06:38 AM
- Posted Re: 403 error when using SAML authentication through ADFS on FlexNet Manager Knowledge Base. Apr 26, 2021 06:36 AM
- Posted Re: 403 error when using SAML authentication through ADFS on FlexNet Manager Knowledge Base. Apr 22, 2021 06:53 AM
- Kudoed 403 error when using SAML authentication through ADFS for fnishikado. Apr 22, 2021 06:30 AM
- Got a Kudo for Re: Azure Active Directory (AAD) Authentication. Nov 23, 2020 03:58 AM
- Got a Kudo for Re: Azure Active Directory (AAD) Authentication. Nov 23, 2020 01:41 AM
- Posted Re: Azure Active Directory (AAD) Authentication on FlexNet Manager Forum. Nov 22, 2020 08:31 PM
- Posted Re: ARL import getting failed on FlexNet Manager Forum. Oct 16, 2020 12:41 PM
- Posted Re: [FNMS SAML Setup] Troubleshooting guide and list of common errors on FlexNet Manager Knowledge Base. Oct 05, 2020 02:42 AM
- Posted Re: [FNMS SAML Setup] Troubleshooting guide and list of common errors on FlexNet Manager Knowledge Base. Sep 28, 2020 05:08 AM
- Got a Kudo for Re: Cost Centers and Corporate Units. Sep 09, 2020 03:52 AM
- Got a Kudo for Re: Is there a way to block a 'Public' Management view in FNMS. Sep 09, 2020 03:46 AM
- Got a Kudo for Re: How to set Exemptions for Microsoft CALs. Sep 05, 2020 03:25 AM
- Posted Re: How to set Exemptions for Microsoft CALs on FlexNet Manager Forum. Sep 02, 2020 05:20 AM
- Got a Kudo for Re: Cost Centers and Corporate Units. Aug 25, 2020 01:51 AM
- Posted Re: Cost Centers and Corporate Units on FlexNet Manager Forum. Aug 24, 2020 11:29 PM
- Posted Re: What is the best way to find memory leaks in JaveScript? on FlexNet Manager Forum. Aug 24, 2020 02:31 PM
- Posted Re: What is the best way to find memory leaks in JaveScript? on FlexNet Manager Forum. Aug 24, 2020 04:43 AM
- Kudoed Re: Migrating to a new becaon for joan_mckinley. Aug 24, 2020 04:38 AM
- Posted Re: Is there a way to block a 'Public' Management view in FNMS on FlexNet Manager Forum. Aug 24, 2020 04:31 AM