Please note: Single Sign-On via SAML is available for customers on an Enterprise plan in ftrack 3.5.15 and later. If you do not see the option in the System settings, please contact support using the 'Submit a request' button or via support@ftrack.com. |
Using Security Assertion Markup Language (SAML), a user can sign in to ftrack via Single Sign-On (SSO) by authenticating via one of the many Identity providers that support authentication using SAML. Using SSO, users don’t need to remember usernames and passwords and can sign in to all supported cloud applications by signing in one time for all services. For Administrators, it’s incredibly useful because all services and accounts can be managed in one central location.
With an Enterprise account, ftrack can be configured to authenticate users over SAML from system settings. You may allow existing users, both manually created in ftrack or synced from LDAP to authenticate with SAML. If enabled, users can also be created automatically when authenticated if they do not already exist.
Follow the instructions below to set up SAML authentication using one of the verified providers or see the generic instructions for other providers. Once you have configured the SAML identity provider in ftrack, you may test the configuration before enabling it.
OneLogin
See instructions for setting up SAML applications using OneLogin.
Add a new “SAML Test Connector (IdP w/attr)” application and give it a name and description.
On the SSO tab, copy the following values to ftrack
In the configuration tab, add the following settings:
/saml/metadata
/saml/acs
/saml/sls |
Remember to add the application to your users before testing it.
Okta
See instructions for setting up SAML applications using Okta.
Navigate to Applications in the Developer console Classic UI. Select the Sign on tab and click View setup instructions.
Copy the (1) Sign on and (2) Sign out to ftrack Settings. The (3) Identity Provider Issuer should be copied to the Entity ID setting. Copy the (4) Certificate and paste the contents of the text file as Identity provider public key. Under the advanced settings field, add the following:
{"security": { "wantAttributeStatement": false }}
In the Okta developer console, edit your application and add the following:
/saml/acs
/saml/metadata |
Google G Suite
See Set up your own custom SAML application using SAML-based Federated SSO for detailed instructions.
Navigate to SAML Apps within your google admin console. And select to create a new custom app.
Copy the options for SSO URL, Entity ID to ftrack settings. Download the certificate and paste the contents of the text file as “Identity provider public key”. Under the advanced settings field, add the following:
{"security": { "wantAttributeStatement": false }}
In Google admin, on the step “Service Provider Details”, add the following:
/saml/acs
/saml/metadata |
If you select “Signed Response” in Google’s settings, you’ll need to provide valid ftrack private and public keys in ftrack settings.
Other Identity Providers
Configure your identity Provider
The first step is to configure your identity provider. A wide variety of Identity Providers should be supported, but currently, we have only had a chance to confirm a few. See below for instructions on how to configure SAML for other providers.
The SAML endpoints supported by your ftrack instance are as follows:
|
Configure your ftrack instance
The next step is to configure ftrack, the configuration options are reachable from System Settings > SAML Settings.
|
Troubleshooting
You may get different error messages depending on what provider you are using, but here are a few of the common ones.
Use the "Test saved SAML configuration" button in ftrack SAML settings to get the error messages.
|
Analyzing the SAML request and response
To investigate what information is sent back and forth between the ftrack server and the identity provider, the SAML request and response can be analyzed directly. Here are steps on how to do that:
-
Open a new empty tab in Google Chrome.
-
Open the developer console from the View-Developer-Developer Tools menu.
-
Go to the network tab in the developer tools.
-
Check the "Preserve log" setting at the top.
-
Enter the URL to your ftrack server followed by the test endpoint in the browser address field /saml/test and hit enter.
-
In the network tab you should now see a call to the identity provider with the SAMLRequest variable and at the end a call to acs which is the ftrack endpoint that receives the SAMLResponse header.
Once you have the saml request or response, you can use https://www.samltool.com to decode it.