SAML Single Sign-On in FogBugz


Follow

Overview

This article provides information on FogBugz support for SSO with the integration of SAML 2.0 compliant identity providers. There are several Identity Provider (IDP) services that support SAML 2.0, for e.g., Okta, OneLogin, Active Directory Federation Services (ADFS), Azure Active Directory (Azure AD).

NOTE: For FogBugz On-Premises, FogBugz On-Site, and Manuscript (any version above 8.15), you will need to enable and force HTTPS connections to support ADFS or Azure AD.

 


Information

When configuring the trust relationship with your identity provider, many of the values will vary depending on the URL you use to access FogBugz. The format for the metadata is below:

What You Will Need to Tell FogBugz About Your SAML Identity Provider

  • On the FogBugz side, we will require two values to configure SAML authentication, both of which should be supplied by your identity provider. These values are:
    • The SSO URL where FogBugz should redirect unauthenticated users to sign in.
    • The public X.509 certificate used by your SAML Identity Provider to sign requests.

What You Will Need to Tell Your SAML Identity Provider About FogBugz

  • The EntityID (sometimes called Audience) for FogBugz will be:
    • FogBugz On-Premises: https://{site name}.{host}/saml-sp (https if using SSL)
    • FogBugz On-Demand: https://{your-fogbugz-domain}.fogbugz.com/saml-sp
  • The Assertion Consumer Service URL will be:
    • FogBugz On-Premises: https://{site name}.{host}/auth/SAML2/POST (https if using SSL)
    • FogBugz On-Demand: https://{site name}.fogbugz.com/auth/SAML2/POST
  • In addition, your SAML Identity Provider must send one of the following attributes as part of the assertion in the POST request to FogBugz:
    • FogBugzFullName: This must match the full name of the user you create in FogBugz.
    • FogBugzEmail: This must match the email address of the user you create in FogBugz.

NOTES:
  • Each attribute must be unique in order to map a single FogBugz user to the SAML Identity. FogBugz enforces this for Full Name and allows multiple users to exist with the same email address.
  • If you are using the FogBugzEmail attribute to authenticate via SAML, the email address sent by your SAML Identity Provider must be unique in FogBugz.
  • If both the FogBugzFullName and FogBugzEmail attributes are sent, only the FogBugzFullName attribute will be used by FogBugz.

 

Back to the top


Enabling SAML SSO

Any admin user can enable SAML SSO Authentication for FogBugz:

  1. Navigate to the Avatar Menu > Site Configuration > Authentication.
  2. From the Authentication Mode dropdown, choose either Username and Password or SAML Authentication or just SAML Authentication and then configure SAML with the Login URL and the x509 certificate received from your SAML Identity Provider.

Occasionally, SSO/SAML authentication is not visible in Site Configuration for the FogBugz On-Premises version. Read Enabling SAML Authentication for FogBugz On-Premises for step-by-step instructions on this topic for FogBugz On-Premises.

 

Back to the top


Known Issue with SAML Configuration Saving

Currently, there is a known issue in FogBugz with the Site Configuration: when saving (clicking OK) the Identity Provider URL and the Public x509 Signing Certificate are not saved in the database. Our engineering team is already working on the fix. It should be available for you with our next release.

The workaround is to save these configuration items using the following database script:

USE trial1 -- the name of your trial database

DECLARE @sSAMLIdentityProviderUrl nvarchar(255) -- the login URL
DECLARE @sSAMLSigningCert nvarchar(max) -- Base64 certificate with line-ending characters removed (everything in one line)

SET @sSAMLIdentityProviderUrl = 'https://login.youridp.com/02657f8a-other-characters/saml2'
SET @sSAMLSigningCert = '-----BEGIN CERTIFICATE-----MIIC8.....many..characters......awf-----END CERTIFICATE-----'

IF ((SELECT COUNT(*) FROM SAMLConfig) > 0)
	UPDATE SAMLConfig
		SET 
			sSAMLIdentityProviderUrl = @sSAMLIdentityProviderUrl,
			sSAMLSigningCert = @sSAMLSigningCert
    WHERE ixSAMLConfig = (SELECT MIN(ixSAMLConfig) FROM SAMLConfig);
ELSE
	INSERT INTO SAMLConfig (sSAMLIdentityProviderUrl, sSAMLSigningCert)
    VALUES (@sSAMLIdentityProviderUrl, @sSAMLSigningCert);


SELECT * FROM SAMLConfig -- view the result

Update the following values in this script:

  • trial1 - with the name of your FogBugz database
  • @sSAMLIdentityProviderUrl - set its value to your SAML IDPs Login URL
  • @sSAMLSigningCert  - set its value to your x509 certificate. Remove the line-ending characters to have the certificate on one line.

If you are a FogBugz On-Demand customer please contact our Support Team so they can execute this script for you.

Back to the top