Single Sign-On via SAML is available for customers on an Enterprise plan in ftrack 3.5.15 and later. Contact support if you do not see the option in System settings.

Using Security Assertion Markup Language (SAML), a user can sign in to ftrack via Single Sign-On (SSO) by authenticating via one of the many Identity providers that support authentication using SAML. Using SSO users don’t need to remember usernames and passwords and can sign in to all supported cloud applications by signing-in one time for all services. For Administrators, it’s incredibly useful because all services and accounts can be managed in one central location.

With an Enterprise account, ftrack can be configured to authenticate users over SAML from system settings. You may allow existing users, both manually created in ftrack or synced from LDAP to authenticate with SAML. If enabled, users can also be created automatically when authenticated if they do not already exist.

Follow the instructions below to set up SAML authentication using one of the verified providers or see the generic instructions for other providers. Once you have configured the SAML identity provider in ftrack, you may test the configuration before enabling it.

OneLogin

See instructions for setting up SAML applications using OneLogin.

Add a new “SAML Test Connector (IdP w/attr)” application and give it a name and description. On the SSO tab, copy the following values to ftrack

Issuer URL
   
Entity ID

SAML 2.0 Endpoint
    Identity Provider single sign on service URL

SLO Endpoint
    Identity Provider single sign logout service URL

In the configuration tab, add the following settings:

ACS (Consumer) URL Validator
   
<server url>/saml/metadata

ACS (Consumer) URL
    <server url>/saml/acs

Single Logout URL
    <server url>/saml/slo

Remember to add the application to your users before testing it.

Okta

See instructions for setting up SAML applications using Okta.

Navigate to Applications > <Your application> in the Developer console Classic UI. Select the Sign on tab and click View setup instructions.

Copy the (1) Sign on and (2) Sign out to ftrack Settings. The (3) Identity Provider Issuer should be copied to the Entity ID setting. Copy the (4) Certificate and paste the contents of the text file as Identity provider public key. Under the advanced settings field, add the following:

{"security": { "wantAttributeStatement": false }}


In the Okta developer console, edit your application and add the following:

Single sign on URL
    <server url>/saml/acs

Audience URI (SP Entity ID)
    <server url>/saml/metadata

Google G Suite

See Set up your own custom SAML application using SAML-based Federated SSO for detailed instructions.

Navigate to SAML Apps within your google admin console. And select to create a new custom app.

Copy the options for SSO URL, Entity ID to ftrack settings. Download the certificate and paste the contents of the text file as “Identity provider public key”. Under the advanced settings field, add the following:

{"security": { "wantAttributeStatement": false }}

In Google admin, on the step “Service Provider Details”, add the following:

ACS URL
    <server url>/saml/acs

Entity ID
    <server url>/saml/metadata

If you select “Signed Response” in Google’s settings, you’ll need to provide valid ftrack private and public keys in ftrack settings.

Other identity providers

Configure your identity Provider

First step is to configure your identity provider. A wide variety of Identity Providers should be supported but currently we have only had a chance to confirm a few. See below for instructions on how to configure SAML for other providers.

The SAML endpoints supported by your ftrack instance are as follows:

Service Provider Entity ID (Metadata)
    http[s]://your-domain.ftrackapp.com/saml/metadata

Assertion consumer service (ACS) URL
   
http[s]://your-domain.ftrackapp.com/saml/acs

Single Logout service (SLO) URL
    http[s]://your-domain.ftrackapp.com/saml/slo

Configure your ftrack instance

The next step is to configure ftrack, the configuration options are reachable from System Settings -> SAML Settings.

Enable SAML login
Whether or not to enable authentication through SAML. Not required to test the configuration.

Create user on login
If enabled, users that can authenticate through the identity provider but do not yet have a ftrack account will be created upon first login. If this option is not true you must make sure that the user already exist in ftrack and are of the type “saml” alternatively you can configure users synchronized through ldap to be able to authenticate through saml from the “System Settings” -> “LDAP Settings” page by setting the “Allowed authentication method” to SAML.

Entity ID (required)
The identifier of the identity provider. It should be an URI and may be referred to as Issuer URL, Entity ID or SAML metadata URL, or similar.

Identity Provider single sign on service URL (required)
URL Target of the IdP where the Authentication Request Message will be sent. May be referred to as SSO URL, SAML endpoint, or similar.

Identity Provider single sign logout service URL (optional)
URL Location of the IdP where SLO (Single Logout) Request will be sent. May be referred to as SLO URL, SLO Endpoint, or similar.

ftrack public key (optional)
Public x509 certificate of the service provider (ftrack).

ftrack private key (optional)
If you wish to use a an identity provider with signed assertion and encryption, specify your private certificate here. 

Identity provider public key (required)
Public x509 certificate of the Identity Provider. May be referred to as Certificate, X.509 Certificate etc.. If provided as a file, copy the contents and paste them in the field.

Advanced settings (optional)
A JSON formatted dictionary that will be merged with the primary settings. It can be used if the identity provider requires options to be set if not available as regular options. For additional information see the python-saml documentation.

Troubleshooting

You may get different error messages depending on what provider you are using, but here are a few of the common ones. Use the "Test saved SAML configuration" button in ftrack SAML settings to get the error messages.

Return URL in SAML request does not match with DS return URL
Verify that the consumer/return URL you add to the identity provider does match your ftrack endpoint <server url>/saml/acs

Invalid issuer in the Assertion/Response
The Entity ID in ftrack SAML settings does not match the provider identifier.

Signature validation failed. SAML Response rejected
The identity provider public key in ftrack SAML settings is incorrect and does not match the identity provider.

There is no AttributeStatement on the Response
Configure the ftrack SAML settings advanced settings field with:

{"security": { "wantAttributeStatement": false }}

<server url>/saml/metadata is not a valid audience for this Response
You may need to set or update the audience field on the identify provider to be <server url>/saml/metadata

Did this answer your question?