Single Sign-On Support with SAML
IT Asset Management
(Cloud)
To enable single sign-on using an identity provider, IT Asset Management
includes support for Security Assertion Markup Language (SAML) 2.0 technology, and will integrate
with any identity providers that are compliant with SAML 2.0.
Tip: The
terminology for SAML describes the two sides of the relationship with the following
terms:
- The system that controls operator login for authentication is called an
"identity provider". Any identity provider that complies
with SAML 2.0 is supported. Examples include:
- Okta (http://www.okta.com)
- G Suite (http://gsuite.google.com)
- SalesForce (http://www.salesforce.com).
- The software that the operator can access after login (in this case, IT Asset Management) is called a "service provider".
Tip: A limitation of the underlying library
(Sustainsys.Saml2) means that SAML authentication for
IT Asset Management cannot support Federal Information Processing Standards
(FIPS).
Using Single Sign-on
When single sign-on has been configured appropriately, an attempt to log in to IT Asset Management will be redirected to the identity provider (IdP), where the login is supported. You may also log in to IT Asset Management directly from the identity provider, provided that this has been configured with the appropriate link to IT Asset Management.
When logging out, you can choose to close the IT Asset Management session, without affecting the session on the identity provider (or any other service provider).
Configuring Single Sign-on (Overview)
Your SaaS
implementation of IT Asset Management includes a fixed set of values needed
by your identity provider. In turn, your service provider also needs
details from your identity provider. The major configuration steps
are as follows:
- Implement your chosen identity provider,
configuring it for your preferred strategy.Note: As a service provider, IT Asset Management supports both:
- Sign-on initiated by the identity provider (that is, an operator logs into the identity provider directly, and then selects IT Asset Management)
- Sign-on initiated by the service provider (that is, an operator navigates to your customized tenant URL, and the login is redirected through your identity provider).
Tip: As part of the ordering and implementation process, new customers should advise Flexera of your preferred tenant subdomain name. If you have not done this, the subdomain is identified by your tenant GUID, which is a meaningless, hard-to-type jumble of letters and numbers. If this describes what you see as the first part your tenant URL, please advise your Flexera support contact of your preferred tenant subdomain name so that the URL can be updated for you. - Provide the information about the service provider (your cloud instance of IT Asset Management) to the identity provider, copying the information provided and if necessary handing off to the administrator responsible for the identity provider. For details, see Configuring IT Asset Management for Single Sign-On Integration.
- Receive from the administrator of your identity provider either the URL to download the metadata file for the identity provider, or a copy of the metadata file itself; and enter the appropriate details to configure IT Asset Management to validate and make use of the metadata file. Details are also included in Configuring IT Asset Management for Single Sign-On Integration.
- If your identity provider requires use of a digital certificate to sign assertions it sends to IT Asset Management, the certificate (signature public key) is included in the metadata file. When either you upload a copy of the metadata file (if that was separately supplied), or enter the URL for the metadata file (which is downloaded and validated by IT Asset Management), certificate details are automatically stored in the central database, and validated against all future assertions.
- As you integrate your identity provider with your
cloud instance of IT Asset Management, you may from time to time change
the balance of authentication responsibilities between the two systems to
best suit your implementation progress. You may, for example:
- Start with authentication fully managed by IT Asset Management, with accounts created in Flexera Account Management. This is the default or starting position when your tenant is first configured within IT Asset Management.
- Keep your default or main authentication management with IT Asset Management, but start switching individual identities or accounts over to your identity provider, as a pilot project to validate that all is well.
- Make your identity provider the default way of logging in, but allow operators to also log in directly through IT Asset Management when required.
- Enforce your single sign-on solution as the only path through which operators may log into IT Asset Management.
https://exampleTenant.flexnetmanager.com/Suite
). When an operator who is not currently logged in navigates to this URL, the login is redirected to the appropriate service based on the mode setting you have currently selected.
IT Asset Management (Cloud)
Current