Creating a SAML Configuration in Faspex

Before configuring SAML in Faspex, make sure you have properly configured your SAML IdP (see Configuring Your Identity Provider (IdP)).
  1. In Faspex, go to Server > Authentication > SAML Integration.
  2. Optional: Import a SAML IdP's metadata to auto-populate the fields for SSO URL, fingerprint, and certificate. You can import from a URL, from a saved file, or from pasted text. Click Import Settings From Metadata URL.
  3. Enter a name for your configuration in the Name field. This name is used by Faspex to differentiate between multiple SAML configurations.
  4. Optional: Configure the following SAML options.
    • Publicly Visible: Determines whether Faspex allows users to choose this IdP as an option from the local login page.
    • Public Login Instructions field: Displays a description of the IdP and instructions on how to log in.
    • Restrict access to known groups: Prevents SAML users that are not members of existing Faspex SAML groups from logging into this IdP.
    • Default SAML Configuration: Determines if accessing the Faspex URL redirects to this IdP or the local faspex login page.
    • Domain URL: Directs users to this IdP when they access this alternate URL. For more information, see Configuring a Domain URL for SAML.
    For more information on these options, see Configure SAML Options.

If you chose to import a metadata file, the SSO target URL, Name ID Format, Fingerprint, and Certificate fields have already been auto-populated with information.

  1. In the SSO target URL field, enter your IdP Single Sign-On URL.
  2. Choose the Name ID Format used to authenticate with the SAML IdP.
    The Name ID format must match the format used with your IdP. Faspex supports the following formats: Unspecified, Transient, Persistent, or Email Address. When set to Unspecified, any Name ID format returned by the IdP is accepted.
  3. Enter the IdP Fingerprint or Certificate. Only one of these two fields is required to authenticate with the SAML IdP.
  4. Optional: In the Allowable clock drift field, configure the milliseconds allowed for clock drift between Faspex and the SAML IdP.
  5. Configure the default profile fields. These fields must map to attributes in your SAML IdP's SAML response. Enter the SAML Name for each of the required fields: username, email, first_name, and last_name.
    Important: Once you set the value for username, do not change it. If username is changed, existing SAML users can no longer log into their existing Faspex accounts, but are instead given new accounts with new usernames.
  6. Optional: Configure local custom profile fields.
    These are custom user attributes that only apply to this IdP. Name is the name of the attribute displayed in Faspex. SAML Name is the name of the attribute as configured in the IdP. To add a field, click Add Local Profile Field. For more information, see Setting Up Custom SAML Fields.
    Note: If you've configured custom attributes (Server > User Profile), these fields show up as Global Custom Profile Fields that, if required, you must map to valid SAML names. For more information about custom attributes, see Configuring Custom User Fields.
  7. Click Create SAML Configuration.
    After creating a new SAML configuration, Faspex redirects you to the SAML Configurations page and displays the existing SAML configurations.
Users can now access Faspex through SAML instead of going through the local login page. For information about bypassing the SAML redirect, see Bypassing the SAML Redirect.