SAML Single Sign-On in FogBugz


Follow

Overview

This article provides information on FogBugz support for SSO with the integration of SAML 2.0 compliant identity providers. There are several services that support SAML 2.0 and integrate with LDAP (e.g., Okta, OneLogin, and ClearLogin).

Instead of using a service, you can configure your identity provider, which integrates with your LDAP configuration (e.g., Shibboleth or SimpleSAMLphp). Active Directory supports SAML 2.0 SSO via Active Directory Federation Services (ADFS).

NOTE: For FogBugz On-Site, FogBugz On-Premises, and Manuscript (any version above 8.15), you will need to enable and force HTTPS connections to support ADFS.

Process

When configuring the trust relationship with your identity provider, many of the values will vary depending on the URL you use to access FogBugz. The format for the metadata is below:

What You Will Need to Tell FogBugz About Your SAML Identity Provider

  • On the FogBugz side, we will require two values to configure SAML authentication, both of which should be supplied by your identity provider. These values are:
    • The SSO URL where FogBugz should redirect unauthenticated users to sign in.
    • The public X.509 certificate used by your SAML Identity Provider to sign requests.

What You Will Need to Tell Your SAML Identity Provider About FogBugz

  • The EntityID (sometimes called Audience) for FogBugz will be:
    • FogBugz On-Site: https://{site name}.{host}/saml-sp (https if using SSL)
    • FogBugz On Demand: https://{your-fogbugz-domain}.fogbugz.com/saml-sp
  • The Assertion Consumer Service URL will be:
    • FogBugz On-Site: https://{site name}.{host}/auth/SAML2/POST (https if using SSL)
    • FogBugz On-Demand: https://{site name}.fogbugz.com/auth/SAML2/POST
  • In addition, your SAML Identity Provider must send one of the following attributes as part of the assertion in the POST request to FogBugz:
    • FogBugzFullName: This must match the full name of the user you create in FogBugz.
    • FogBugzEmail: This must match the email address of the user you create in FogBugz.

NOTES:
  • Each attribute must be unique in order to map a single FogBugz user to the SAML Identity. FogBugz enforces this for Full Name and allows multiple users to exist with the same email address.
  • If you are using the FogBugzEmail attribute to authenticate via SAML, the email address sent by your SAML Identity Provider must be unique in FogBugz.
  • If both the FogBugzFullName and FogBugzEmail attributes are sent, only the FogBugzFullName attribute will be used by FogBugz.

 

Back to Top


Enabling SAML SSO

Any admin user can enable SAML SSO Authentication for FogBugz:

  1. Navigate to the gear menu > Site Configuration > Authentication.
  2. From the Authentication Mode dropdown, choose either Username and Password or SAML Authentication or just SAML Authentication and then configure SAML with the information above.

Occasionally, SSO/SAML authentication is not visible in Site Configuration for the FogBugz On-Site version. Read Enabling SAML Authentication for FogBugz On-Site for step-by-step instructions on this topic for FogBugz On-Site.

If you would like help in configuring SAML, please contact us.


Back to Top