Custom Options for SSO

This is a list of custom things that our support team has found that helped some customers with their FD SSO config files to provide custom options to different Providers.

 

Passing custom query parameters to your OIDC Provider

oidcConfig.customParams = key: value, key2:v2

 

Allow unsigned tokens from your OIDC Provider

oidcConfig​.allowUnsignedIdTokens​=true

 

Custom SAML login URL

To modify the sign on url for SAML, access the provided metadata url. Usually you would just paste this URL into the fdsso.config file. Instead, copy the xml contents and paste it into a file that is located on the FlexDeploy server (not inside the apache-tomcat-flexdeploy folder). Then modify the file as needed. Reference this new file path from the fdsso.config file instead of the URL.

 

Configuring Single Sign On of type Redirect instead of POST

By default, FlexDeploy uses type POST. If you get an error that the “Identity Provider has no single sign on service available for the selected profile, you need to select an alternate one.

To to this, in your SSO Config file, you should add the line:

saml2Config.authnRequestBindingType = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

What SAML information does FlexDeploy use?

We use the attribute “UserName” if it exists as the user.

If it doesn’t, we use the first SAML attribute that ends with “UserName”.

If none do, we use the SAML ID attribute as the username.

If the username that is determined from those locations matches an existing username in FlexDeploy, the user is considered to be the same user.

If it doesn’t exist, then the users email, first name, and last name are looked for in the SAML attributes.

  • given_name is used for first name

  • family_name is used for last name

  • email is used for email

Currently these fields are not configurable in FlexDeploy, but they have worked with all IDPs tested so far.

 

The following macros are not currently supported in the footer:
  • style