Custom Options for SSO
This is a list of custom things that our support team has found that helped some customers with their FD SSO config files to provide custom options to different Providers.
Passing custom query parameters to your OIDC Provider
oidcConfig.customParams = key: value, key2:v2
Allow unsigned tokens from your OIDC Provider
oidcConfig.allowUnsignedIdTokens=true
Custom SAML login URL
To modify the sign on url for SAML, access the provided metadata url. Usually you would just paste this URL into the fdsso.config file. Instead, copy the xml contents and paste it into a file that is located on the FlexDeploy server (not inside the apache-tomcat-flexdeploy folder). Then modify the file as needed. Reference this new file path from the fdsso.config file instead of the URL.
Configuring Single Sign On of type Redirect instead of POST
By default, FlexDeploy uses type POST. If you get an error that the “Identity Provider has no single sign on service available for the selected profile, you need to select an alternate one.
To to this, in your SSO Config file, you should add the line:
saml2Config.authnRequestBindingType = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
What SAML information does FlexDeploy use?
We use the attribute “UserName” if it exists as the user.
If it doesn’t, we use the first SAML attribute that ends with “UserName”.
If none do, we use the SAML ID attribute as the username.
If the username that is determined from those locations matches an existing username in FlexDeploy, the user is considered to be the same user.
If it doesn’t exist, then the users email, first name, and last name are looked for in the SAML attributes.
given_name is used for first name
family_name is used for last name
email is used for email
Currently these fields are not configurable in FlexDeploy, but they have worked with all IDPs tested so far.
- style