When to use SAML
By integrating FotoWeb with your SAML authentication service, you can import users into a preset FotoWeb group or groups. Because SAML does not support synchronization of group data, you will need to create groups in FotoWeb and then assign users imported from the SAML service to those groups.
SAML authentication is fit for:
- Customers who already have a SAML identity provider and wish to integrate FotoWeb with this provider.
- Customers who use Active Directory Federation Services.
- Customers who have an Active Directory and wish to use FotoWeb with SSO. In this case you can use SAML in combination with Active Directory Federation Services (ADFS) to facilitate single sign-on usage scenarios.
Setting it up
Adding the FotoWeb application to your SAML provider
Create an application in your SAML provider's management console and set the following parameters:
Single sign on URL
Use the hostname to your FotoWeb server followed by /fotoweb/auth/saml20/consume, for example like this: http://example.fotoware.cloud/fotoweb/auth/saml20/consume
Issuer ID / Audience URI:
With FotoWeb 8.0 build 837 and newer, the Audience URI should match the correct Issuer ID - the site URL - including a final forward slash, like in this example:
In earlier versions of FotoWeb, the Audience URI should read FotoWeb, as in the screenshot above.
In the Attribute statements section, map the FotoWeb attributes to those of your SAML provider.
The screenshot below shows the mapping between FotoWeb and Okta, where the FotoWeb attributes are shown in the left column (email, givenName, sn, username)
Important: Make sure you enter the FotoWeb attributes EXACTLY as specified in the left column - failure to do so will result in users not being able to authenticate and log in.
Copy endpoint URL and certificate to FotoWeb site settings
After setting up the application, the SAML provider will give you an endpoint URL to which FotoWeb will send authentication queries, along with an X.509 certificate. These must be copied into the SAML authentication settings in the FotoWeb site configuration in the Operations Center, as shown further down.
By ticking the option Only allow login with SAML, users who access FotoWeb will not be given the opportunity to manually enter a username and password to authenticate but will be immediately authenticated using SAML when accessing the FotoWeb site. By leaving the option unchecked, it will be possible to enter a FotoWeb username and password manually to log in, but you cannot manually enter your SAML credentials to log in.
Important note about group management in SAML
An important point to note about SAML is that not all SAML providers deliver information about a user's group membership to the application, so you need to manually create groups in FotoWeb and assign permissions to these groups.
Then, in the SAML configuration in the FotoWeb site settings you preset the groups that users imported via SAML should be added to (see screenshot above).