CONFIGURE FLARE
Team

SSO and Authentication

13min

Flare supports logging into the platform with SP-initiated Single Sign-On using a SAML provider (such as Microsoft Azure Active Directory and Okta) and with Google.

Configuring SSO

Only organization administrators may configure single sign-on.

  • Navigate to the SSO configuration page
    • Open the Team page.
    • Click Edit on the right panel.
    • Under SSO Configuration, select your desired identity provider

Understanding the configuration states

There are two configuration options for SSO:

  • Enabled: Logging in with SSO is allowed but not mandatory. Organization members can still chose to log in using their Flare password.
  • Mandatory: Organization members may only login using SSO. They cannot use password authentication. API access will only be allowed with API keys.
  • Choose your provider
    • If your organization is using Google as an identity provider, there is no additional configuration that is needed. Simply selecting "Google" will be enough to allow your organization members to login with their Google accounts. The email of the Google account must match the email of the organization member in Flare.
    • If your organization is using a SAML-supporting identity provider, such as Microsoft Azure AD, you need to provide two configuration values. For more information on obtaining these configuration values from the Azure portal, please read the guide below.
      • Metadata URL: Points to the metadata configuration of your SAML provider.
      • Mapping Email: Used to map Flare's email attribute to matching attributes in your SAML identity provider.



Testing and enabling SSO

To test and enable Single-Sign-On:

  • Browse to the Flare Team page and check the Enable option. Do not make it mandatory for now.
  • Log out from Flare
  • Attempt to log back in by choosing Log in with SSO. You should get redirected to your identity provider for authentication. In the case where you are already connected, you should be instantly redirected to Flare's home page. If you were not connected, your identity provider will ask for your credentials



Document image

  • If succesful, you can browse back to the Team page and set SSO as Mandatory. From this point on, users in your organization will only be able to log in with that method, and password authentication will be disabled.



Configuring Microsoft Azure AD

Flare requires 2 values from Azure AD in order to use it as an identity provider.

To obtain the Metadata URL:

  • Browse to your Azure Active Directory in your Azure Portal.
  • In the left menu, click on App Registrations.
  • Click on Endpoints.
  • Copy the value of the Federation metadata document and paste it in the Metadata URL in the Flare configuration page.

For the Mapping Email, which is used to map the Flare email to a matching attribute in your SAML identity provider, simply use the value below for a default Azure AD installation. If you are unsure what to use here, please contact your Azure AD administrator.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Once both values are entered in Flare, click Save.

Next, Flare must be registered in Azure AD to be used as a provider.

  • Go to Azure Active Directory.
  • Go to App Registrations.
  • Click on New Registration.
  • Enter:
    • For the app name: Firework
    • For the redirect URI: https://sso.firework.flared.io
  • Click on Register.
  • In the Essentials section, click on Add an Application ID URI.
  • At the top left, click on Add.
  • Set the Application ID URI to the value below and click Save
    • urn:amazon:cognito:sp:us-east-1_EdS7l4VuU





Document image


Azure AD should now be correctly configured.

Configuring Okta

Flare Settings:

  • Metadata URL: Taken from Okta in the "Sign On" subtab of the application
  • Mapping Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Okta Settings:

  • Single sign-on URL: https://sso.firework.flared.io/saml2/idpresponse
  • Audience URI: urn:amazon:cognito:sp:us-east-1_EdS7l4VuU

Then, create an additional Attribute Statement:

  • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • Format: Basic
  • Value: user.email



Configuring JumpCloud

JumpCloud Config

App Creation

  • User Authentification -> Add New Application -> Custom Application
  • Custom Application Features:
    • Manage Single Sign-On (SAML)
  • Save Application

App Config

  • SP entity ID: urn:amazon:cognito:sp:us-east-1_EdS7l4VuU
  • ACS URL: https://sso.firework.flared.io/saml2/idpresponse
  • SAMLSubject NameID: email
  • SAMLSubject NameID Format: urn:oasis:names:SAML:1.1:nameid-format:unspecified
  • Declare Redirect Endpoint: Yes

Creating a user attribute

  • Service Provider Attribute Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • JC Attribute Name: email

Flare Config

  • Metadata URL: Obtain from Copy Metadata URL in JumpCloud.
  • Mapping Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Related Articles