Where to configure: Go to Site Configuration > Security > Single Sign-on.
When setting up FotoWare with SAML SSO, you can define attributes on the Identity Provider (IdP) that are synchronized to FotoWare when a user is imported.
Such attributes can include, for instance:
- Group membership
- Address information mapped to corresponding FotoWare user information fields
- User initials
- Phone numbers, and so on.
Tip: The Managing Groups using SAML topic explains how to transfer group membership, with an example using ADFS. The procedure for transferring group membership is quite similar for all providers.
Default properties in FotoWare
Four properties are default and required when integrating FotoWare with an IdP using SAML: E-mail, First Name, Last Name, and Username.
The names of these properties can be changed in FotoWare to accommodate, for example, an IdP that cannot modify the name of its outgoing attributes for the corresponding fields.
Example: If the IdP always sends the username as an attribute named uid, change the FotoWare SAML Property Name for Username to uid to match that of the IdP. Remember that SAML property names may be case-sensitive.
Tip: The SAML Property Name seen above is often referred to as SAML Attribute Name in many IdP setups.
Additional attributes can also be set as required as needed. When an attribute is required, a user will not be able to log in if the identity provider does not set the attribute.
Synchronizing additional properties
Additional properties synchronized via SAML can be mapped to FotoWare user information fields. Choose the FotoWare field using the drop-down list and enter the corresponding SAML attribute that the IdP delivers.
Attributes with multiple values
When setting up attributes, IdPs have different ways to transfer attributes with multiple values. FotoWare supports multiple values for group memberships and address information, attributes that often comprise more than a single value.
For example, an IdP may transfer group membership as a single attribute that translates to a single SAML property mapping in FotoWare - this 1-1 relationship means that a single group in the IdP translates to a single group in FotoWare associated with the SAML property.
However, it's more typical for an IdP to transfer multiple group memberships. These can be transferred as a comma or semicolon-separated list, or as an array. You can set the format of the attribute's values in the Type column (see the screenshot above), and choose between Single (1-1 mapping) or List, where you can choose between comma separation, semicolon separation, or Multi (meaning an array).
Group membership mapping
To synchronize groups from the IdP to FotoWare, choose Member of (Groups) entry from the FotoWare user information field drop-down list and then enter the corresponding SAML attribute to map to. With an ADFS integration, the default name of the SAML attribute is groups, but different IdPs may use different attribute names.
Next, choose the format of the group membership values from the IdP, Single, or List.
Note: While the group mapping described above refers to linked groups, it's also possible to create default groups in FotoWare in which all users who are imported via SAML are placed. Since having default groups means that anyone who authenticates via SAML can access FotoWare, we recommend disabling all default groups if you're enforcing strict access control to FotoWare.
An address information attribute from the IdP can also contain multiple values, Select List as the type to add each attribute value as an individual street address line.
- When the IdP sends an attribute, that attribute is always updated when a user logs in via SAML.
- If there is no SAML attribute mapping to a FotoWare field or custom property, or if the attribute is not required and the IdP does not send it, then any existing FotoWare user data is not overwritten. This allows additional user data to be entered, for example, in the FotoWare user management module, without risking it being overwritten.