Where to configure: Log on to FotoWare and go to the Site Configuration (Tools - Site Configuration). Expand the Security node and choose Single Sign-on.
When setting up FotoWare with SAML SSO, you can define attributes on the Identity Provider (IdP) that are synchronized to FotoWare when a user is imported.
Such attributes can for instance include:
- Group membership
- Address information mapped to corresponding FotoWare user information fields
- User initials
- Phone numbers
Tip: The Managing Groups using SAML topic explains how to transfer group membership, with an example using ADFS. However, the procedure for doing so is quite similar whether using ADFS or another provider.
Default properties in FotoWare
Four properties are default and required when integrating FotoWare with an IdP using SAML:
E-mail, First Name, Last Name and Username.
The names of these properties can be changed in FotoWare to accommodate e.g. an IdP that cannot modify the name of its outgoing attributes for the corresponding fields.
Example: If the IdP always sends the username as an attribute named uid, change the FotoWare SAML Property Name for Username to uid to match that of the IdP. Remember that SAML property names may be case sensitive.
Tip: The SAML Property Name seen above is often referred to as SAML Attribute Name in many IdP setups.
Additional attributes can also be set as required as needed. When an attribute is required, a user will not be able to log in the the identity provider does not set the attribute.
Synchronizing Additional Properties
Additional properties synchronized via SAML can be mapped to FotoWare user information fields. Choose the FotoWare field using the drop down menu and enter the corresponding SAML attribute that the IdP delivers.
Attributes with multiple values
When setting up attributes, IdP's have different ways to transfer attributes with multiple values. FotoWare supports multiple values for group memberships and address information, attributes that often comprise more than a single value.
For example, an IdP may transfer group membership as a single attribute that translates to a single SAML property mapping in FotoWare - this 1-1 relationship means that a single group in the IdP translates to a single group in FotoWare associated with the SAML property.
However, it's more typical for an IdP to transfer transfer multiple group memberships. These can be transferred as a comma or semicolon separated list, or as an array. You can set the format of the attribute's values in the Type column (see above screenshot), and choose between Single (1-1 mapping) or List, where you can choose between comma separation, semicolon separation or Multi, meaning an array.
Group Membership Mapping
To synchronize groups from the IdP to FotoWare, choose the Member of (Groups) entry from the FotoWare user information field drop down and then enter the corresponding SAML attribute it should be mapped to. With an ADFS integration, the default name of the SAML attribute is groups, but different IdPs may use different attribute names.
Next, choose the format of the group membership values from the IdP, Single or List.
Important distinction: While the group mapping described above refers to linked groups, it's also possible to create default groups in FotoWare in which all users who are imported via SAML are placed. Since having default groups means that anyone who authenticates via SAML can access FotoWare, we recommend disabling all default groups if you're enforcing strict access control to FotoWare.
An address information attribute from the IdP can also contain multiple values, By choosing List as the type, each attribute value will be added as an individual street address line.
Important Points to Note
- When the IdP sends an attribute, that attribute is always updated when a user logs in via SAML.
- If there is no SAML attribute mapping to a FotoWare field or custom property, or if the attribute is not required and the IdP does not send it, then any existing FotoWare user data is not overwritten. This allows additional user data to be entered e.g. in the FotoWare user management module without risking it being overwritten.