Configuring IT Asset Management for Single Sign-On Integration

To configure IT Asset Management as an SSO service provider:

1. Log in to IT Asset Management as an operator that is a member of the Administrator role.
   The necessary settings are available only to an operator with administrator privileges.
2. Go to the IT Asset Management Settings General page (Administration > IT Asset Management Settings > General).
3. Select the Security tab, and scroll down to the Authentication section.
4. Copy the read-only values from the General information part, label them, and send them to the person who administers your identity provider (or, if you are authorized to do so, add those values required by your identity provider, so that you configure it to recognize IT Asset Management as a service provider).
   Tip: In your identity provider, you must set a NameID that the identity provider uses to uniquely identify the person logging in, when it asserts this identity back to the service provider. In IT Asset Management 2023 R2.4, this must be the employee's email address. Within IT Asset Management, this value is available in the following equivalent places:

   • In the web interface, in the Account Properties page as the Account field (where the value is specified during account creation). Once an account has been saved in IT Asset Management, this value is no longer editable (nor can the account be deleted, as it may relate to historical activity; but you may disable an account when appropriate).
   • As a read-only value in the Login column of the IT Asset Accounts page (Administration > IT Asset Management Settings > IT Asset Accounts).
   • In the OperatorLogin column in the ComplianceOperator table of the compliance database, which is the database column underlying the two previously-mentioned display places. Only an operator whose value asserted by the identity provider is matched in this table is granted access to a tenant within IT Asset Management.
5. To communicate with the identity provider, IT Asset Management needs an XML file of metadata including URLs of endpoints, information about supported bindings, identifiers, and public keys. (For more information, see the SAML 2.0 metadata schema available at http://docs.oasis‑open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd.) Receive back from your administrator colleague (or extract the data from the identity provider yourself, if authorized) either of the following:
   • A URL for download of the metadata document from the identity provider. Enter this value in the URL field in the SAML identity provider metadata part of the page.
   • A copy of the metadata XML file at an accessible file location on your network. Use the Metadata file controls to browse to and upload this file to IT Asset Management.
   Tip: You may freely choose either of these methods, but you cannot save the page if you have completed both fields. When you save your setting, IT Asset Management downloads the metadata file (if necessary), and validates its contents. If there are any problems, an alert helps you to remedy those, until your service provider is correctly configured to interact with your identity provider.
6. Choose the operating mode for authentication, deciding whether to have one or both identity providers active (and if both, which one should have priority). Notice that this setting affects all operators within your tenant (you cannot have different settings for different operators' accounts):
   • Flexera Account Management — This default case requires that you create accounts using the Flexera Account Management page. Operators provide their credentials (account name and password) on the Flexera login screen. Anyone navigating directly to your tenant-specific URL is redirected through the Flexera login screen.
   • Flexera (default) with SAML identity provider (pilot) — Intended as a transition state, this prompts for credentials at the Flexera login screen; but operators (provided that their single sign-on credentials have been configured in your identity provider) can choose a Log in with single sign-on button.
   • SAML identity provider (default) with Flexera option — Operators navigating to your customized tenant-specific URL (such as https://exampleTenant.flexnetmanager.com/Suite) are redirected to the login page from your SAML identity provider (for example, Okta). However, those operators needing to use Flexera credentials have the option of navigating to a non-tenanted URL (such as https://www.flexnetmanager.com/Suite), where the Flexera login screen is presented. Through this screen, while in this mode, logging in with Flexera credentials succeeds.
     Tip: It is a good safety net for at least one administrator to preserve a Flexera account that can be used to login through the non-tenanted URL in case emergency configuration changes are needed.
   • SAML identity provider only — Operators navigating to your custom subdomain (such as https://exampleTenant.flexnetmanager.com/Suite) are redirected to log into your single sign-on solution. Operators with only single sign-on credentials who attempt to log into the non-tenanted URL (https://www.flexnetmanager.com/Suite) fail, and do not gain access. An operator with both kinds of credentials may use the Flexera credentials with the Flexera login screen; but when Flexera Account Management passes back authorization for this operator to access her registered tenant (which is now configured for SAML only), access is refused because the incorrect kind of credentials have been used. The login attempt is redirected to your single sign-on solution, and the operator must log in again.
     Note: In this SAML-only mode, there is a risk that subsequent incorrect configuration changes could lock out all access to IT Asset Management. If this happens, contact Flexera Support, asking for your tenant authentication mode to be switched back to SAML identity provider (default) with Flexera option. Once this is done, an administrator who has preserved a Flexera account can log in through the non-tenanted URL, and repair the configuration. To mitigate this (perhaps relatively small) risk of total lock-out, the SAML-only mode is recommended only where there are strict security requirements that prevent normal operations with the previous mode, which keeps the Flexera option enabled. At the very least, consider switching back to allow the Flexera option before making major configuration changes.
   Tip: You may revisit this screen at any time to change the mode setting, based on progress through your single sign-on implementation plan.
7. Click Save (bottom right).
   If you used the URL option for the metadata XML file, the file is downloaded and checked. Your settings are validated, and you have an opportunity to fix any problems. When all is well, the configuration details are saved to the central compliance database for the current tenant.