Single Sign-On Support with SAML

FlexNet Manager Suite 2023 R1 (On-Premises)
To enable single sign-on using an identity provider, FlexNet Manager Suite includes support for Security Assertion Markup Language (SAML) 2.0 technology, and will integrate with any identity providers that are compliant with SAML 2.0.
Tip: The terminology for SAML describes the two sides of the relationship with the following terms:
  • The system that controls operator login for authentication is called an "identity provider". Any identity provider that complies with SAML 2.0 is supported. Examples include:
  • The software that the operator can access after login (in this case, FlexNet Manager Suite) is called a "service provider".
Tip: A limitation of the underlying library (Sustainsys.Saml2) means that SAML authentication for FlexNet Manager Suite cannot support Federal Information Processing Standards (FIPS).

Using Single Sign-on

When single sign-on has been configured appropriately, an attempt to log in to FlexNet Manager Suite will be redirected to the identity provider (IdP), where the login is supported. You may also log in to FlexNet Manager Suite directly from the identity provider, provided that this has been configured with the appropriate link to FlexNet Manager Suite.

When logging out, you can choose to close the FlexNet Manager Suite session, without affecting the session on the identity provider (or any other service provider); or may be able to initiate a complete logout from the identity provider. Note that a complete logout requires that the identity provider supports this function, and that the identity provider has this functionality configured.

Configuring Single Sign-on (Overview)

Authentication services for SAML 2.0 are provided through use of the third-party tool Sustainsys.Saml2. This tool requires you to configure FlexNet Manager Suite to meet the requirements of your chosen identity provider. The major configuration steps are as follows:
  1. Plan your single sign-on strategy:
    • Identify your identity provider, one which supports your preferred configuration
    • Will you support single sign-on initiated by the identity provider?
    • Will you or your identity provider require signed and/or encrypted SAML assertions?
    • Do you require support for single log-out?
  2. Configure FlexNet Manager Suite as a service provider by giving it an entity ID, saved in its web.config file.
  3. Determine whether your implementation requires that FlexNet Manager Suite use a digital certificate to support signing and encryption of the SAML assertions exchanged with the identity provider; and if so, provide the certificate and configure both the service provider and the identity provider to support it. Configuration for the service provider is again within its web.config file.
  4. Configure the service provider (FlexNet Manager Suite) with the details needed for communication with the selected identity provider. You may do this either by:
    • Configuring it to read values from the metadata XML file maintained by the identity provider (recommended)
    • Recording the full details of configuration in its own web.config file (when the identity provider does not provide access to a metadata file).
    All changes to the web.config file are covered in Configuring FlexNet Manager Suite as a SAML Service Provider.
  5. Configuring your chosen identity provider to recognize FlexNet Manager Suite. For details, see Configuring Your Identity Provider to Recognize FlexNet Manager Suite.

FlexNet Manager Suite (On-Premises)

2023 R1