Skip to main content
Documentation & User Guides | FotoWare

Setting Up SAML Authentication

Adding the FotoWare application to your SAML provider

Example: Okta setup

Okta is an Identity Provider which is used as an example to illustrate how to configure FotoWare to work with an IdP. The procedure may vary slightly depending on the type of IdP being used. 

Create an application in your SAML provider's management console and set the following parameters:

Single sign on URL  (aka Assertion Consumer Service URL or ACS URL)
Use the hostname to your FotoWare server followed by /fotoweb/auth/saml20/consume/, for example like this: https://example.fotoware.cloud/fotoweb/auth/saml20/consume/

Important: Remember to include the final forward slash at the end of the URL, as seen above.

SAML provider setup 2.png

 

Issuer ID / Audience URI: 

The Audience URI should match the correct Issuer ID - the site URL - including a final forward slash, like in this example:

https://example.fotoware.cloud/fotoweb/

Important: Remember to include the final forward slash at the end of the URL, as seen above.

Attribute statements

In the Attribute statements section, map the FotoWare attributes to those of your SAML provider.

The screenshot below shows the mapping between FotoWare and Okta, where the FotoWare attributes are shown in the left column (email, givenName, sn, username) and the correponding Okta values are shown in the right column. 

Important Notes:
1) The names of the attributes in FotoWare can be customized, for instance to accommodate IdPs that send a fixed attribute value.
2) Additional attributes can be added to import more information about users, such as group membership.

Important: Make sure you enter the FotoWare attributes EXACTLY as specified in the left column. If you've changed the name of the corresponding FotoWare values in the FotoWare Site Configuration, enter them accordingly here. The values must match, otherwise users will not be able to authenticate and log in.

SAML provider setup 1.png

 

Copy endpoint URL and certificate to FotoWare site settings

After setting up the application, the SAML provider will give you an endpoint URL to which FotoWare will send authentication queries, along with an X.509 certificate. These must be copied into the SAML authentication settings in the FotoWare site configuration in the FotoWare Site Configuration, as shown below. (Navigate to the Security - Single Sign-on node in the site configuration.)

SAML provider setup 3.png

Setting the Logout URL

The Logout URL can be obtained from the IdP.

If the user logs out from FotoWare, or the session is terminated by other means, the user will be redirected to the custom logout URL.

The custom logout URL may be a "start page" with links to FotoWare and other applications to which the user can log in via SAML. For example, services such as Okta, Google GSuite and ADFS can have such pages. When using sign-in initiated by the identity provider (where the user signs in to FotoWare from an external page, rather than the FotoWare login page), this provides a more natural experience, where the user returns to the "start page" after leaving FotoWare .

The custom logout URL is used regardless if the FotoWare login page is enabled or not ("always log in with SSO"). This may be useful in cases where most users are expected to log in via SSO, but a select few (typically administrators) log in via the FotoWare login form.

If no custom logout URL is specified, and the FotoWare login page is disabled ("always log in with SSO"), then the user is taken to a default page after logout, which has a link to log back in via SSO.

The custom logout page may also be a link that logs the user out of the session in the identity provider. However, it is not an implementation of SAML single sign-out.

Enforcing the use of SAML for login

By ticking the option Only allow login with SAML, users who access FotoWare will not be given the opportunity to manually enter a username and password to authenticate but will be immediately authenticated using SAML when accessing the FotoWare site. By leaving the option unchecked, it will be possible to enter a FotoWare username and password manually to log in. To log in with SSO then, you need to select Login with SSO from the login screen, as you cannot manually enter your SAML credentials to log in.