Skip to main content

 

Documentation & User Guides | FotoWare

Setting Up SAML Authentication

Adding the FotoWeb application to your SAML provider

Example: Okta setup

Create an application in your SAML provider's management console and set the following parameters:

Single sign on URL
Use the hostname to your FotoWeb server followed by /fotoweb/auth/saml20/consume/, for example like this: http://example.fotoware.cloud/fotoweb/auth/saml20/consume/

Important: Remember to include the final forward slash at the end of the URL, as seen above.

SAML provider setup 2.png

 

Issuer ID / Audience URI: 

With FotoWeb 8.0 build 837 and newer, the Audience URI should match the correct Issuer ID - the site URL - including a final forward slash, like in this example:

https://example.fotoware.cloud/fotoweb/

Important: Remember to include the final forward slash at the end of the URL, as seen above.

In earlier versions of FotoWeb, the Audience URI should read FotoWeb, as in the screenshot above.

Attribute statements

In the Attribute statements section, map the FotoWeb attributes to those of your SAML provider.

The screenshot below shows the mapping between FotoWeb and Okta, where the FotoWeb attributes are shown in the left column (email, givenName, sn, username)

Important: Make sure you enter the FotoWeb attributes EXACTLY as specified in the left column - failure to do so will result in users not being able to authenticate and log in.

SAML provider setup 1.png

 

Copy endpoint URL and certificate to FotoWeb site settings

After setting up the application, the SAML provider will give you an endpoint URL to which FotoWeb will send authentication queries, along with an X.509 certificate. These must be copied into the SAML authentication settings in the FotoWeb site configuration in the Operations Center, as shown further down.

SAML provider setup 3.png

 

 

By ticking the option Only allow login with SAML, users who access FotoWeb will not be given the opportunity to manually enter a username and password to authenticate but will be immediately authenticated using SAML when accessing the FotoWeb site. By leaving the option unchecked, it will be possible to enter a FotoWeb username and password manually to log in. To log in with SSO then, you need to select Login with SSO from the login screen, as you cannot manually enter your SAML credentials to log in.