Where to configure: FotoWeb site configuration, under Settings - Services - Single sign-on
When setting up FotoWeb with SAML SSO, you can define attributes on the Identity Provider (IdP) that are synchronized to FotoWeb when a user is imported.
Such attributes can for instance include:
- Group membership
- Address information mapped to corresponding FotoWeb user information fields
- User initials
- Phone numbers
Tip: The Managing Groups using SAML topic explains how to transfer group membership, with an example using ADFS. However, the procedure for doing so is quite similar whether using ADFS or another provider.
Default properties in FotoWeb
Four properties are default and required when integrating FotoWeb with an IdP using SAML:
E-mail, First Name, Last Name and Username.
The names of these properties can be changed in FotoWeb, using the Operations Center, to accommodate e.g. an IdP that cannot modify the name of its outgoing attributes for the corresponding fields.
Example: If the IdP always sends the username as an attribute named uid, change the FotoWeb SAML property name for Username to uid to match that of the IdP. Remember that SAML property names may be case sensitive.
Synchronizing Additional Properties
Additional properties synchronized via SAML can be mapped to FotoWeb user information fields. Choose the FotoWeb field using the drop down menu and enter the corresponding SAML attribute that the IdP delivers.
To synchronize groups from the IdP to FotoWeb, choose the Member of (Groups) entry from the FotoWeb user information field drop down and then enter the corresponding SAML attribute it should be mapped to. With an ADFS integration the default name of the SAML attribute is groups, but different IdPs may use different attribute names.
The Member of attribute is special in that the IdP can deliver a comma-separated list if a user is a member of several groups. This may not be supported by all IdPs.
Important distinction: While the group mapping described above refers to linked groups, it's also possible to create default groups in FotoWeb in which all users who are imported via SAML are placed. Since having default groups means that anyone who authenticates via SAML can access FotoWeb, we recommend disabling all default groups if you're enforcing strict access control to FotoWeb.
Special Case: Address Mapping
Multiple SAML attributes can be mapped to Address. Each attribute value will be added as an individual street address line. Also, each attribute value is expected to be a comma-separated list, where each part is added as an individual street address line.
Four default attributes are always required: User Name, E-mail, First Name, and Last Name. The SAML name of these attributes can be changed to accommodate the IdP's requirements (e.g. mail instead of email).
Additional attributes can also be set as required as needed. When an attribute is required, a user will not be able to log in the the identity provider does not set the attribute.
Important Points to Note
- When the IdP sends an attribute, that attribute is always updated when a user logs in via SAML.
- If there is no SAML attribute mapping to a FotoWeb field or custom property, or if the attribute is not required and the IdP does not send it, then any existing FotoWare user data is not overwritten. This allows additional user data to be entered e.g. in the FotoWare user management module without risking it being overwritten.