Identity Provider Configuration

An Identity Provider (IDP) is a web application operated by your organization that performs the following functions:

Provides Security Assertion Markup Language (SAML) attributes identifying the user attempting to interact with the service provider, a web application such as Flexera One, that consumes information from your identity provider to provision users and determine their access privileges.
Asserts to the SP that the user identified by those attributes is authorized by the provider to access the service.
Optionally provides additional attributes for the user, such as group membership information, that the SP may use for provisioning the user in the system.

You may purchase identity-as-a-service from a vendor or operate your own in-house identity provider. In either case, your identity provider software provides an application portal that provides one-click access to Flexera One and other web applications.

When configuring your identity provider with Flexera One, you can start with the SAML Overview or skip to Setting Up an Identity Provider for Flexera One.

The table below summarizes some Frequently Asked Questions (FAQs) regarding implementing SAML in Flexera One.

FAQs for implementing SAML in Flexera One

Question

Answer

Is there a fee to implement SAML in Flexera One?

No

Can single sign-on be set up as a required option?

Yes, for details, see Enforcing Single Sign-On in Your Organization

Does Flexera One support identity provider-initiated or service provider-initiated SAML, or both?

Both are supported. Service provider-initiated is only enabled if the identity provider has a discovery hint.

How is the discovery hint used?

To initiate service provider-initiated SAML:

1. Access the Flexera One login page. (for details, see Logging in to Flexera One and Resetting Your Password.
2. Go to the Single sign-on tab.
3. Input the discovery hint specified when the identity provider was created. This hint redirects to your organization’s federated identity provider sign-in page.
4. Select Login.

If no discovery hint is specified for the identity provider, service provider-initiated SAML is disabled.

Note:The discovery hint is case-sensitive.

What is the required SAML Name ID format in Flexera One?

Email address

What attributes are required in the SAML assertion?

Name ID

Do you use the Name ID/subject section of the SAML response to authenticate the user?

If so, what value should be used?

The Name ID/subject section of the SAML response is used to authenticate the user.

The value should be the user's email address.

Is SAML service provider metadata available?

For security reasons, we use unique certificates for every SAML connection, so generic metadata is not available. SAML parameters are available in Flexera One when configuring your identity provider.

Is single logout supported?

No

For my identity provider, I configured a Logout redirect URL. However when I logged out, I was not directed to this URL. Why?

When the logout redirect URL is changed, it only affects newly created sessions after the update. Any session already active during the update will not be affected by the update. To observe the changed behavior, log out of Flexera One, then log in to Flexera One again through the identity provider and when that session ends, the new logout redirect value will be active.

If the SAML response needs to be signed, what is the required signature algorithm?

SHA-256 or SHA-1 are supported.

If a digest algorithm is required, what is the required algorithm?

SHA-256 or SHA-1 are supported.

Does the assertion need to be encrypted?

No

Which algorithms are supported for assertion encryption?

AES-128, AES-192, AES-256, Triple DES

Does Flexera One One provide the certificate to encrypt the assertion?

Flexera One doesn't provide a certificate to encrypt the assertion.

Your identity provider’s certification is uploaded to Flexera One while completing the Adding a New Identity Provider steps in the Flexera One user interface. That certification is used by your identity provider to sign the assertion.

If you choose to enable “sign authorization (authn) requests” within Flexera One, then Flexera One uses the selected signing key from its Signing Keys tab (see Creating a New Signing Key) to sign the request. If you enable authn requests, you must copy the certificate from Flexera One’s Signing Keys tab into your identity provider.

Does Flexera One One require the force authentication flag to be enabled?

No