Skip to main content
Documentation & User Guides | Fotoware

Setting up SAML authentication

  1. Last updated
  2. Save as PDF

Adding the FotoWeb application to your SAML provider

Example: Okta setup

Okta is an Identity Provider (IdP) which is used as an example to illustrate how to configure FotoWeb to work with an IdP. The procedure may vary slightly depending on the type of IdP being used. 

Create an application in your SAML provider's management console and set the following parameters:

Single sign on URL  (aka Assertion Consumer Service URL or ACS URL)
Use the hostname to your FotoWeb server followed by /fotoweb/auth/saml20/consume/, for example: https://example.fotoware.cloud/fotoweb/auth/saml20/consume/

Important: Remember to include the final forward slash at the end of the URL, as seen above.

SAML provider setup 2.png

 

Issuer ID / Audience URI: 

In FotoWeb 8.0 build 837 and newer, the Audience URI must match the correct Issuer ID - the site URL - including a final forward slash, as in the following example:

https://example.fotoware.cloud/fotoweb/

Important: Remember to include the final forward slash at the end of the URL, as seen above.

In earlier versions of FotoWeb, the Audience URI must read FotoWeb, as in the screenshot above.

Attribute statements

In the Attribute statements section, map the FotoWeb attributes to those of your SAML provider.

The screenshot below shows the mapping between FotoWeb and Okta, where the FotoWeb attributes are shown in the left column (email, givenName, sn, username) and the correponding Okta values are shown in the right column. 

Note:
1) The names of the attributes in FotoWeb can be customized, for instance to accommodate IdPs that send a fixed attribute value.
2) Additional attributes can be added to import more information about users, such as group membership.

Important: Make sure you enter the FotoWeb attributes EXACTLY as specified in the left column. If you've changed the name of the corresponding FotoWeb values in the Operations Center Settings app, enter them accordingly here. The values must match, otherwise users will not be able to authenticate and log in.

SAML provider setup 1.png

 

Copy endpoint URL and certificate to FotoWeb site settings

After setting up the application, the SAML provider will give you an endpoint URL to which FotoWeb will send authentication queries, along with an X.509 certificate. These must be copied into the SAML authentication settings in the FotoWeb site configuration in the Operations Center Settings app, as shown below.

SAML provider setup 3.png

SAML_SSO_properties.png

Setting the Logout URL

The Logout URL can be obtained from the IdP.

If the user logs out from FotoWeb, or the session is terminated by other means, the user will be redirected to the custom logout URL.

The custom logout URL may be a "start page" with links to FotoWeb and other applications to which the user can log in via SAML. For example, services such as Okta, Google GSuite and ADFS can have such pages. When using sign-in initiated by the identity provider (where the user signs in to FotoWeb from an external page, rather than the FotoWeb login page), this provides a more natural experience, where the user returns to the "start page" after leaving FotoWeb.

The custom logout URL is used regardless if the FotoWeb login page is enabled or not ("always log in with SSO"). This may be useful in cases where most users are expected to log in via SSO, but a select few (typically administrators) log in via the FotoWeb login form.

If no custom logout URL is specified, and the FotoWeb login page is disabled ("always log in with SSO"), then the user is taken to a default page after logout, which has a link to log back in via SSO.

The custom logout page may also be a link that logs the user out of the session in the identity provider. However, it is not an implementation of SAML single sign-out.

Enforcing the use of SAML for login

By selecting the Only allow login with SAML option, users who access FotoWeb are not given the opportunity to manually enter a username and password to authenticate but are immediately authenticated using SAML when accessing the FotoWeb site. By leaving the Only allow login with SAML option unchecked, it will be possible to enter a FotoWeb username and password manually to log in. To log in with SSO then, you need to select Login with SSO from the login screen as you cannot manually enter your SAML credentials to log in.