Single Sign-On Support with SAML

IT Asset Management (Cloud)
To enable single sign-on using an identity provider, IT Asset Management includes support for Security Assertion Markup Language (SAML) 2.0 technology, and will integrate with any identity providers that are compliant with SAML 2.0.
Tip: The terminology for SAML describes the two sides of the relationship with the following terms:
  • The system that controls operator login for authentication is called an "identity provider". Any identity provider that complies with SAML 2.0 is supported. Examples include:
  • The software that the operator can access after login (in this case, IT Asset Management) is called a "service provider".
Tip: A limitation of the underlying library (Sustainsys.Saml2) means that SAML authentication for IT Asset Management cannot support Federal Information Processing Standards (FIPS).

Using Single Sign-on

When single sign-on has been configured appropriately, an attempt to log in to IT Asset Management will be redirected to the identity provider (IdP), where the login is supported. You may also log in to IT Asset Management directly from the identity provider, provided that this has been configured with the appropriate link to IT Asset Management.

When logging out, you can choose to close the IT Asset Management session, without affecting the session on the identity provider (or any other service provider).

Configuring Single Sign-on (Overview)

Your SaaS implementation of IT Asset Management includes a fixed set of values needed by your identity provider. In turn, your service provider also needs details from your identity provider. The major configuration steps are as follows:
  1. Implement your chosen identity provider, configuring it for your preferred strategy.
    Note: As a service provider, IT Asset Management supports both:
    • Sign-on initiated by the identity provider (that is, an operator logs into the identity provider directly, and then selects IT Asset Management)
    • Sign-on initiated by the service provider (that is, an operator navigates to your customized tenant URL, and the login is redirected through your identity provider).
    In either method, the operator is granted access to the web interface of IT Asset Management, and can access all functionality authorized by the various roles to which the operator's account is assigned. As well, IT Asset Management supports digital signing (using certificates) of all communications ("assertions") between the identity provider and service provider. However, it does not support additional encryption of assertions (other than the encryption provided by the HTTPS protocol); nor does log out from the identity provider automatically log the operator out of IT Asset Management (that is, single sign-out is not supported).
    Tip: As part of the ordering and implementation process, new customers should advise Flexera of your preferred tenant subdomain name. If you have not done this, the subdomain is identified by your tenant GUID, which is a meaningless, hard-to-type jumble of letters and numbers. If this describes what you see as the first part your tenant URL, please advise your Flexera support contact of your preferred tenant subdomain name so that the URL can be updated for you.
  2. Provide the information about the service provider (your cloud instance of IT Asset Management) to the identity provider, copying the information provided and if necessary handing off to the administrator responsible for the identity provider. For details, see Configuring IT Asset Management for Single Sign-On Integration.
  3. Receive from the administrator of your identity provider either the URL to download the metadata file for the identity provider, or a copy of the metadata file itself; and enter the appropriate details to configure IT Asset Management to validate and make use of the metadata file. Details are also included in Configuring IT Asset Management for Single Sign-On Integration.
  4. If your identity provider requires use of a digital certificate to sign assertions it sends to IT Asset Management, the certificate (signature public key) is included in the metadata file. When either you upload a copy of the metadata file (if that was separately supplied), or enter the URL for the metadata file (which is downloaded and validated by IT Asset Management), certificate details are automatically stored in the central database, and validated against all future assertions.
  5. As you integrate your identity provider with your cloud instance of IT Asset Management, you may from time to time change the balance of authentication responsibilities between the two systems to best suit your implementation progress. You may, for example:
    • Start with authentication fully managed by IT Asset Management, with accounts created in Flexera Account Management. This is the default or starting position when your tenant is first configured within IT Asset Management.
    • Keep your default or main authentication management with IT Asset Management, but start switching individual identities or accounts over to your identity provider, as a pilot project to validate that all is well.
    • Make your identity provider the default way of logging in, but allow operators to also log in directly through IT Asset Management when required.
    • Enforce your single sign-on solution as the only path through which operators may log into IT Asset Management.
    This choice of operating modes is made in the same configuration page as the other integration settings are registered. The current choice of mode is applied equally to all operators within your tenant in IT Asset Management. The fastest and best controlled authentication experience comes when each operator bookmarks a customized, tenant-specific URL that includes your own subdomain (for example, https://exampleTenant.flexnetmanager.com/Suite). When an operator who is not currently logged in navigates to this URL, the login is redirected to the appropriate service based on the mode setting you have currently selected.

IT Asset Management (Cloud)

Current