Skip to main content

 

Documentation & User Guides | FotoWare

SAML Authentication

How it works

By integrating FotoWeb with your SAML authentication service, you can import users into a preset FotoWeb group or groups.

Because SAML does not support synchronization of group data, you will need to create groups in FotoWeb and then assign users imported from the SAML service to those groups.

Setting it up

Add the FotoWeb application to your SAML provider

Create an application in your SAML provider's management console and set the following parameters:

Single sign on URL: Use the hostname to your FotoWeb server followed by /fotoweb/auth/saml20/consume, for example like this: http://company.com/fotoweb/auth/saml20/consume

SAML provider setup 2.png

 

In the Attribute statements section, map the FotoWeb attributes to those of your SAML provider.

The screenshot below shows the mapping between FotoWeb and Okta, where the FotoWeb attributes are shown in the left column (email, givenName, sn, username)

Important: Make sure you enter the FotoWeb attributes EXACTLY as specified in the left column - failure to do so will result in users not being able to authenticate and log in.

SAML provider setup 1.png

 

Copy endpoint URL and certificate to FotoWeb site settings

After setting up the application, the SAML provider will give you an endpoint URL to which FotoWeb will send authentication queries, along with an X.509 certificate. These must be copied into the SAML authentication settings in the FotoWeb site configuration in the Operations Center, as shown further down.

SAML provider setup 3.png

 

Authentication - SAML.png

By ticking the option Only allow login with SAML, users who access FotoWeb will not be given the opportunity to manually enter a username and password to authenticate but will be immediately authenticated using SAML when accessing the FotoWeb site. By leaving the option unchecked, it will be possible to enter a FotoWeb username and password manually to log in, but you cannot manually enter your SAML credentials to log in.

Important note about group management in SAML

An important point to note about SAML is that not all SAML providers deliver information about a user's group membership to the application, so you need to manually create groups in FotoWeb and assign permissions to these groups.

Then, in the SAML configuration in the FotoWeb site settings you preset the groups that users imported via SAML should be added to (see screenshot above).