FSProtect Configuration

FSProtect can be integrated with any SAML-based SSO system. The configuration has two parts: SAML Connection Configuration and Role Mapping Settings.

SAML Connection Configuration:

Existing SSO integrations are listed with options to edit or delete. A New Provider button is available for adding a new integration.

By clicking New Provider in previous screen, user can access initial provider configuration.

You need to configure a SAML Idp Connection with the parameters below.

• Status: Status of the SAML Connection (Enabled or Disabled)

• Provider Name: The provider name displayed in the system. The ACS URL is derived from this name.

• Default Role: If a logged user doesn't have any of the mapped roles in their assertion, the selected default role is assigned to that user.

• Username Attribute Key: The SAML attribute name that maps to the username in your system in order to get or create an user with that username. It is used to find users username from the SAML assertion. Usually looks something like this.

<saml2:Attribute Name="username">
    <saml2:AttributeValue xsi:type="xs:string">forestall</saml2:AttributeValue>
</saml2:Attribute>

• The IdP must be configured to send this attribute. nameId formats are not compatible.

• Role Attribute Key: The SAML attribute name that maps to the user’s role(s) in your system. It is used to assign the correct role to the user based on the value received in the SAML assertion. Typically, this attribute contains values like "admin", "user", or custom roles defined in organisation. Identity Providers must be configured to include this role information as an attribute in the SAML response. Usually looks something like this.

<saml2:Attribute Name="role">
    <saml2:AttributeValue xsi:type="xs:string">admin</saml2:AttributeValue>
</saml2:Attribute>

• If an user has multiple roles that maps to different FSProtect roles, user is assigned to the first role that SAML assertion include.To avoid unforeseen authorization behaviors, user roles and mappings must be reviewed in the FSProtect SAML configuration.

• XML Upload Field: This field is used for uploading the Identity Provider metadata in XML format that contains crucial configuration details such as entity ID, SSO URLs, and certificate information. Uploading this file allows the system to automatically parse and extract the necessary SAML settings to establish a trust relationship with the IdP. Clients can usually download this metadata file directly from their IdP’s admin portal. It's required for initiating and validating SAML authentication requests. Without a valid metadata XML, the SAML integration cannot function.