Single Sign-On via SAML is available for customers on an Enterprise plan in ftrack 3.5.15 and later. Contact support@ftrack.com if you do not see the option in System settings.
Using Security Assertion Markup Language (SAML), a user can sign in to ftrack via Single Sign-On (SSO) by authenticating via one of the many Identity providers that support authentication using SAML. Using SSO users don’t need to remember usernames and passwords and can sign in to all supported cloud applications by signing-in one time for all services. For Administrators, it’s incredibly useful because all services and accounts can be managed in one central location.
With an Enterprise account, ftrack can be configured to authenticate users over SAML from system settings. You may allow existing users, both manually created in ftrack or synced from LDAP to authenticate with SAML. If enabled, users can also be created automatically when authenticated if they do not already exist.
Follow the instructions below to set up SAML authentication using one of the verified providers or see the generic instructions for other providers. Once you have configured the SAML identity provider in ftrack, you may test the configuration before enabling it.
OneLogin
See instructions for setting up SAML applications using OneLogin.
Add a new “SAML Test Connector (IdP w/attr)” application and give it a name and description. On the SSO tab, copy the following values to ftrack
Issuer URL
Entity ID
SAML 2.0 Endpoint
Identity Provider single sign on service URL
SLO Endpoint
Identity Provider single sign logout service URL
In the configuration tab, add the following settings:
ACS (Consumer) URL Validator
<server url>/saml/metadata
ACS (Consumer) URL
<server url>/saml/acs
Single Logout service URL
<server url>/saml/sls
Remember to add the application to your users before testing it.
Okta
See instructions for setting up SAML applications using Okta.
Navigate to Applications > <Your application> in the Developer console Classic UI. Select the Sign on tab and click View setup instructions.
Copy the (1) Sign on and (2) Sign out to ftrack Settings. The (3) Identity Provider Issuer should be copied to the Entity ID setting. Copy the (4) Certificate and paste the contents of the text file as Identity provider public key. Under the advanced settings field, add the following:
{"security": { "wantAttributeStatement": false }}
In the Okta developer console, edit your application and add the following:
Single sign on URL
<server url>/saml/acs
Audience URI (SP Entity ID)
<server url>/saml/metadata
Google G Suite
See Set up your own custom SAML application using SAML-based Federated SSO for detailed instructions.
Navigate to SAML Apps within your google admin console. And select to create a new custom app.
Copy the options for SSO URL, Entity ID to ftrack settings. Download the certificate and paste the contents of the text file as “Identity provider public key”. Under the advanced settings field, add the following:
{"security": { "wantAttributeStatement": false }}
In Google admin, on the step “Service Provider Details”, add the following:
ACS URL
<server url>/saml/acs
Entity ID
<server url>/saml/metadata
If you select “Signed Response” in Google’s settings, you’ll need to provide valid ftrack private and public keys in ftrack settings.
Other identity providers
Configure your identity Provider
First step is to configure your identity provider. A wide variety of Identity Providers should be supported but currently we have only had a chance to confirm a few. See below for instructions on how to configure SAML for other providers.
The SAML endpoints supported by your ftrack instance are as follows:
Service Provider Entity ID (Metadata)
http[s]://your-domain.ftrackapp.com/saml/metadata
Assertion consumer service (ACS) URL
http[s]://your-domain.ftrackapp.com/saml/acs
Single Logout service (SLS) URL
http[s]://your-domain.ftrackapp.com/saml/sls
Configure your ftrack instance
The next step is to configure ftrack, the configuration options are reachable from System Settings -> SAML Settings.
Enable SAML login
Whether or not to enable authentication through SAML. Not required to test the configuration.
Create user on login
If enabled, users that can authenticate through the identity provider but do not yet have a ftrack account will be created upon first login. If this option is not true you must make sure that the user already exist in ftrack and are of the type “saml” alternatively you can configure users synchronized through ldap to be able to authenticate through saml from the “System Settings” -> “LDAP Settings” page by setting the “Allowed authentication method” to SAML.
Entity ID (required)
The identifier of the identity provider. It should be an URI and may be referred to as Issuer URL, Entity ID or SAML metadata URL, or similar.
Identity Provider single sign on service URL (required)
URL Target of the IdP where the Authentication Request Message will be sent. May be referred to as SSO URL, SAML endpoint, or similar.
Identity Provider single sign logout service URL (optional)
URL Location of the IdP where SLO (Single Logout) Request will be sent. May be referred to as SLO URL, SLO Endpoint, or similar.
ftrack public key (optional)
Public x509 certificate of the service provider (ftrack).
ftrack private key (optional)
If you wish to use a an identity provider with signed assertion and encryption, specify your private certificate here.
Identity provider public key (required)
Public x509 certificate of the Identity Provider. May be referred to as Certificate, X.509 Certificate etc.. If provided as a file, copy the contents and paste them in the field.
Advanced settings (optional)
A JSON formatted dictionary that will be merged with the primary settings. It can be used if the identity provider requires options to be set if not available as regular options. For additional information see the python-saml documentation.
Troubleshooting
You may get different error messages depending on what provider you are using, but here are a few of the common ones. Use the "Test saved SAML configuration" button in ftrack SAML settings to get the error messages.
Return URL in SAML request does not match with DS return URL
Verify that the consumer/return URL you add to the identity provider does match your ftrack endpoint <server url>/saml/acs
Invalid issuer in the Assertion/Response
The Entity ID in ftrack SAML settings does not match the provider identifier. This value is often referred to as issuer.
Signature validation failed. SAML Response rejected
The identity provider public key in ftrack SAML settings is incorrect and does not match the identity provider.
There is no AttributeStatement on the Response
Configure the ftrack SAML settings advanced settings field with:
{"security": { "wantAttributeStatement": false }}
<server url>/saml/metadata is not a valid audience for this Response
You may need to set or update the audience field on the identify provider to be <server url>/saml/metadata
Analysing the SAML request and response
To investigate what information is sent back and forth between the ftrack server and the identity provider the SAML request and response can be analysed directly. Here are steps how to do that:
Open a new empty tab in Google Chrome.
Open the developer console from the View->Developer->Developer Tools menu.
Go to the network tab in the developer tools.
Check the "Preserve log" setting at the top.
Enter the URL to your ftrack server followed by the test endpoint in the browser address field <server url>/saml/test and hit enter.
In the network tab you should now see a call to the identity provider with the SAMLRequest variable and at the end a call to acs which is the ftrack endpoint which receives the SAMLResponse header.
Once you have the saml request or response you can use https://www.samltool.com to decode it.