User login & provisioning

SSO

Allow login using an external SSO
Automatically provision users from SSO response at login time
Automatically resynchronize user properties from SSO response at login time

IdP configuration

SP configuration

Service provider EntityId (mandatory)
Service provider Attribute Consume Service Endpoint (mandatory)
Sign SAML requests
PKCS#12 file containing signing key and certificate (mandatory)
Keystore file password
Signing key alias (required if keystore contains multiple keys)
Algorithm used to hash the SAML request. SHA-256 is recommended, if your IdP support it.

Users mapping

Attribute of the assertion to use as user's login
Remapping from the assertion attribute value to the FM login. Regular expressions are expressed in Java syntax. Use '()' to capture a substring and '$1' in the replacement string to retrieve it
Attribute of the assertion to use as user's display name
Attribute of the assertion to use as user's email
Attribute of the assertion to use as user's groups set
Optional list of SSO group names that are allowed to login to FM. If empty, all SSO users are allowed to login

IDP configuration

If you have a well-known URL, enter it here, and click the button in order to automatically fill the next 4 fields.
URL of the identity provider's JSON Web Key Set

OIDC Client configuration

The OIDC Client ID (mandatory)
The OIDC Client secret (mandatory)
The OIDC scope for this client (mandatory). The 'openid' scope is mandatory. Scopes are separated by spaces.
PKCE is a security feature made mandatory since OAuth 2.1. It is recommended to always have PKCE enabled, unless the IDP doesn't support it yet.
Optional - Space delimited string values that specify whether the Authorization Server prompts the End-User for re-authentication and consent. Possible values: 'none', 'login', 'consent', 'select_account'

Users mapping

The ID Token claim to find the identifier (username or email)
Ensures the OpenID identifier (e.g. email) is always converted to lowercase. Default is False.
Remapping from the assertion attribute value to the FM login. Regular expressions are expressed in Java syntax. Use '()' to capture a substring and '$1' in the replacement string to retrieve it
The ID Token claim to use as the user's display name (defaults to the identifier if not defined)
The ID Token claim to use as the user's email
The ID Token claim to use as the user's groups.
Optional list of SSO group names that are allowed to login to FM. If empty, all SSO users are allowed to login

LDAP

Import users and groups from an external LDAP server
Allow users to authenticate with LDAP. Note: If SSO is enabled and users must authenticate via SSO but be imported via LDAP, disable this option and enable login-time provisioning.
Automatically provision users from LDAP at login time
Automatically resynchronize user properties at login time
Allow resynchronization of user properties independently from login

Connection

ldap[s]://HOST[:PORT]/BASE (mandatory)
Use Transport Layer Security
Accept all SSL/TLS certificates
Authentication DN for LDAP queries
Authentication password for LDAP queries

Users mapping

User search filter, with {USERNAME} placeholder (mandatory)
User attribute : display name (optional)
User attribute : email (optional)
Query groups for LDAP users
Group search filter, with {USERNAME} or {USERDN} placeholder (mandatory)
Group attribute : group name (mandatory)
Optional list of LDAP group names that are allowed to login to FM. If empty, all LDAP users are allowed to login

Testing