Working with SAML

Configure Faspex as a service provider (SP) to connect with your SAML identity provider (IdP) to authenticate users. Authenticated users can then use Faspex to access secure content.

With SAML enabled, Faspex redirects a user to the IdP sign-on URL. The user signs in with the IdP and the IdP sends a SAML assertion back to Faspex. When a SAML user logs in to Faspex for the first time, Faspex automatically creates a new user account based on the information provided by the SAML response. Any changes subsequently made to the account on the DS server are not automatically picked up by Faspex unless SCIM provisioning is configured. For more information about SCIM provisioning, see SCIM for SAML user and groups provisioning/deprovisioning.

If you want to use directory services with Faspex, configure your SAML IdP to act as a front-end for the directory service.

Multiple SAML configurations

Faspex supports multiple SAML configurations on the same server. Faspex redirects users to the default SAML IdP, but if no default is specified, Faspex directs users to the local login page where users can choose to log into publicly visible SAML configurations or log in locally.

To configure multiple SAML configurations in Faspex, first create a new SAML configuration (see Creating a new SAML configuration in Faspex) and then configure an alternate address for the configuration (see Configuring a SAML alternate address).

Multi-factor authentication (MFA)

As a Faspex 5 SAML user you can enforce the use of multi-factor authentication (MFA) through a supported SAML identity provider (IdP). Multi-factor authentication is not supported for Faspex 5 local users.