Overview
This article provides information on FogBugz support for SSO with the integration of SAML 2.0 compliant identity providers. There are several Identity Provider (IDP) services that support SAML 2.0, for e.g., Okta, OneLogin, Active Directory Federation Services (ADFS), Azure Active Directory (Azure AD).
Information
When configuring the trust relationship with your identity provider, many of the values will vary depending on the URL you use to access FogBugz. The format for the metadata is below:
What You Will Need to Tell FogBugz About Your SAML Identity Provider
- On the FogBugz side, we will require two values to configure SAML authentication, both of which should be supplied by your identity provider. These values are:
- The SSO URL where FogBugz should redirect unauthenticated users to sign in.
- The public X.509 certificate used by your SAML Identity Provider to sign requests.
What You Will Need to Tell Your SAML Identity Provider About FogBugz
- The
EntityID
(sometimes called Audience) for FogBugz will be:- FogBugz On-Premises:
https://{site name}.{host}/saml-sp (https if using SSL)
- FogBugz On-Demand:
https://{your-fogbugz-domain}.fogbugz.com/saml-sp
- FogBugz On-Premises:
- The Assertion Consumer Service URL will be:
- FogBugz On-Premises:
https://{site name}.{host}/auth/SAML2/POST (https if using SSL)
- FogBugz On-Demand:
https://{site name}.fogbugz.com/auth/SAML2/POST
- FogBugz On-Premises:
- In addition, your SAML Identity Provider must send one of the following attributes as part of the assertion in the
POST
request to FogBugz:FogBugzFullName
: This must match the full name of the user you create in FogBugz.FogBugzEmail
: This must match the email address of the user you create in FogBugz.
NOTES:
- Each attribute must be unique in order to map a single FogBugz user to the SAML Identity. FogBugz enforces this for Full Name and allows multiple users to exist with the same email address.
- If you are using the
FogBugzEmail
attribute to authenticate via SAML, the email address sent by your SAML Identity Provider must be unique in FogBugz. - If both the
FogBugzFullName
andFogBugzEmail
attributes are sent, only theFogBugzFullName
attribute will be used by FogBugz.
Enabling SAML SSO
Any admin user can enable SAML SSO Authentication for FogBugz:
- Navigate to the Avatar Menu > Site Configuration > Authentication.
- From the Authentication Mode dropdown, choose either Username and Password or SAML Authentication or just SAML Authentication and then configure SAML with the Login URL and the x509 certificate received from your SAML Identity Provider.
Occasionally, SSO/SAML authentication is not visible in Site Configuration for the FogBugz On-Premises version. Read Enabling SAML Authentication for FogBugz On-Premises for step-by-step instructions on this topic for FogBugz On-Premises.
Known Issue with SAML Configuration Saving
Currently, there is a known issue in FogBugz with the Site Configuration: when saving (clicking OK) the Identity Provider URL and the Public x509 Signing Certificate are not saved in the database. Our engineering team is already working on the fix. It should be available for you with our next release.
The workaround is to save these configuration items using the following database script:
USE trial1 -- the name of your trial database
DECLARE @sSAMLIdentityProviderUrl nvarchar(255) -- the login URL
DECLARE @sSAMLSigningCert nvarchar(max) -- Base64 certificate with line-ending characters removed (everything in one line)
SET @sSAMLIdentityProviderUrl = 'https://login.youridp.com/02657f8a-other-characters/saml2'
SET @sSAMLSigningCert = '-----BEGIN CERTIFICATE-----MIIC8.....many..characters......awf-----END CERTIFICATE-----'
IF ((SELECT COUNT(*) FROM SAMLConfig) > 0)
UPDATE SAMLConfig
SET
sSAMLIdentityProviderUrl = @sSAMLIdentityProviderUrl,
sSAMLSigningCert = @sSAMLSigningCert
WHERE ixSAMLConfig = (SELECT MIN(ixSAMLConfig) FROM SAMLConfig);
ELSE
INSERT INTO SAMLConfig (sSAMLIdentityProviderUrl, sSAMLSigningCert)
VALUES (@sSAMLIdentityProviderUrl, @sSAMLSigningCert);
SELECT * FROM SAMLConfig -- view the result
Update the following values in this script:
trial1
- with the name of your FogBugz database@sSAMLIdentityProviderUrl
- set its value to your SAML IDPs Login URL@sSAMLSigningCert
- set its value to your x509 certificate. Remove the line-ending characters to have the certificate on one line.
If you are a FogBugz On-Demand customer please contact our Support Team so they can execute this script for you.