Single Sign-On via SAML

Please note: Single Sign-On via SAML is available for customers on an Enterprise plan in ftrack 3.5.15 and later. If you do not see the option in the System settings, please contact support using the 'Submit a request' button or via support@ftrack.com.

 

Using Security Assertion Markup Language (SAML), a user can sign in to ftrack via Single Sign-On (SSO) by authenticating via one of the many Identity providers that support authentication using SAML. Using SSO, users don’t need to remember usernames and passwords and can sign in to all supported cloud applications by signing in one time for all services. For Administrators, it’s incredibly useful because all services and accounts can be managed in one central location.

With an Enterprise account, ftrack can be configured to authenticate users over SAML from system settings. You may allow existing users, both manually created in ftrack or synced from LDAP to authenticate with SAML. If enabled, users can also be created automatically when authenticated if they do not already exist.

Follow the instructions below to set up SAML authentication using one of the verified providers or see the generic instructions for other providers. Once you have configured the SAML identity provider in ftrack, you may test the configuration before enabling it.

OneLogin

See instructions for setting up SAML applications using OneLogin.
Add a new “SAML Test Connector (IdP w/attr)” application and give it a name and description.

On the SSO tab, copy the following values to ftrack

  • Issuer URL - Entity ID
  • SAML 2.0 Endpoint - Identity Provider single sign on service URL
  • SLO Endpoint - Identity Provider single sign logout service URL

In the configuration tab, add the following settings:

  • ACS (Consumer) URL Validator

/saml/metadata

  • ACS (Consumer) URL

/saml/acs

  • Single Logout service URL

/saml/sls

 

Remember to add the application to your users before testing it.

Okta

See instructions for setting up SAML applications using Okta.

Navigate to Applications in the Developer console Classic UI. Select the Sign on tab and click View setup instructions.

Copy the (1) Sign on and (2) Sign out to ftrack Settings. The (3) Identity Provider Issuer should be copied to the Entity ID setting. Copy the (4) Certificate and paste the contents of the text file as Identity provider public key. Under the advanced settings field, add the following:

{"security": { "wantAttributeStatement": false }}

In the Okta developer console, edit your application and add the following:

  • Single sign on URL

/saml/acs

  • Audience URI (SP Entity ID)

/saml/metadata

 

Google G Suite

See Set up your own custom SAML application using SAML-based Federated SSO for detailed instructions.

Navigate to SAML Apps within your google admin console. And select to create a new custom app.

Copy the options for SSO URL, Entity ID to ftrack settings. Download the certificate and paste the contents of the text file as “Identity provider public key”. Under the advanced settings field, add the following:

{"security": { "wantAttributeStatement": false }}

In Google admin, on the step “Service Provider Details”, add the following:

  • ACS URL

/saml/acs

  • Entity ID

/saml/metadata

 

If you select “Signed Response” in Google’s settings, you’ll need to provide valid ftrack private and public keys in ftrack settings.

Other Identity Providers

Configure your identity Provider

The first step is to configure your identity provider. A wide variety of Identity Providers should be supported, but currently, we have only had a chance to confirm a few. See below for instructions on how to configure SAML for other providers.

The SAML endpoints supported by your ftrack instance are as follows:

  • Service Provider Entity ID (Metadata)
        http[s]://your-domain.ftrackapp.com/saml/metadata
  • Assertion consumer service (ACS) URL
    http[s]://your-domain.ftrackapp.com/saml/acs
  • Single Logout service (SLS) URL
        http[s]://your-domain.ftrackapp.com/saml/sls

 

Configure your ftrack instance

The next step is to configure ftrack, the configuration options are reachable from System Settings > SAML Settings.

  • Enable SAML login - Whether or not to enable authentication through SAML. Not required to test the configuration.
  • Create user on login - If enabled, users that can authenticate through the identity provider but do not yet have a ftrack account will be created upon first login. If this option is not true you must make sure that the user already exist in ftrack and are of the type “saml” alternatively you can configure users synchronized through ldap to be able to authenticate through saml from the “System Settings” - “LDAP Settings” page by setting the “Allowed authentication method” to SAML.
  • Entity ID (required) - The identifier of the identity provider. It should be an URI and may be referred to as Issuer URL, Entity ID or SAML metadata URL, or similar.
  • Identity Provider single sign on service URL (required)
    URL Target of the IdP where the Authentication Request Message will be sent. May be referred to as SSO URL, SAML endpoint, or similar.
  • Identity Provider single sign logout service URL (optional) - URL Location of the IdP where SLO (Single Logout) Request will be sent. May be referred to as SLO URL, SLO Endpoint, or similar.
  • ftrack public key (optional) - Public x509 certificate of the service provider (ftrack).
  • ftrack private key (optional) - If you wish to use a an identity provider with signed assertion and encryption, specify your private certificate here. 
  • Identity provider public key (required) - Public x509 certificate of the Identity Provider. May be referred to as Certificate, X.509 Certificate etc.. If provided as a file, copy the contents and paste them in the field.
  • Advanced settings (optional) - A JSON formatted dictionary that will be merged with the primary settings. It can be used if the identity provider requires options to be set if not available as regular options. For additional information see the python-saml documentation.

 

Troubleshooting

You may get different error messages depending on what provider you are using, but here are a few of the common ones.

Use the "Test saved SAML configuration" button in ftrack SAML settings to get the error messages.

  • Return URL in SAML request does not match with DS return URL - Verify that the consumer/return URL you add to the identity provider does match your ftrack endpoint /saml/acs
  • Invalid issuer in the Assertion/Response - The Entity ID in ftrack SAML settings does not match the provider identifier. This value is often referred to as issuer.
  • Signature validation failed. SAML Response rejected - The identity provider public key in ftrack SAML settings is incorrect and does not match the identity provider.
  • There is no AttributeStatement on the Response - Configure the ftrack SAML settings advanced settings field with:
{"security": { "wantAttributeStatement": false }}
  • /saml/metadata is not a valid audience for this Response - You may need to set or update the audience field on the identify provider to be /saml/metadata

 

Analyzing the SAML request and response

To investigate what information is sent back and forth between the ftrack server and the identity provider, the SAML request and response can be analyzed directly. Here are steps on how to do that:

  1. Open a new empty tab in Google Chrome.

  2. Open the developer console from the View-Developer-Developer Tools menu.

  3. Go to the network tab in the developer tools.

  4. Check the "Preserve log" setting at the top.

  5. Enter the URL to your ftrack server followed by the test endpoint in the browser address field /saml/test and hit enter.

  6. In the network tab you should now see a call to the identity provider with the SAMLRequest variable and at the end a call to acs which is the ftrack endpoint that receives the SAMLResponse header.

Once you have the saml request or response, you can use https://www.samltool.com to decode it.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section