CONFIGURE FLARE
Team

SSO and Authentication

14min

Flare supports logging into the platform with SP-initiated Single Sign-On using a SAML provider (such as Microsoft Azure Active Directory and Okta) and with Google.

Configuring SSO

Only organization administrators may configure single sign-on.

  • Navigate to the SSO configuration page
    • Open the Team page.
    • Click Edit on the right panel.
    • Under SSO Configuration, select your desired identity provider

Understanding the configuration states

There are two configuration options for SSO:

  • Enabled: Logging in with SSO is allowed but not mandatory. Organization members can still chose to log in using their Flare password.
  • Mandatory: Organization members may only login using SSO. They cannot use password authentication. API access will only be allowed with API keys.
  • Choose your provider
    • If your organization is using Google as an identity provider, there is no additional configuration that is needed. Simply selecting "Google" will be enough to allow your organization members to login with their Google accounts. The email of the Google account must match the email of the organization member in Flare.
    • If your organization is using a SAML-supporting identity provider, such as Microsoft Azure AD, you need to provide two configuration values. For more information on obtaining these configuration values from the Azure portal, please read the guide below.
      • Metadata URL: Points to the metadata configuration of your SAML provider.
      • Mapping Email: Used to map Flare's email attribute to matching attributes in your SAML identity provider.



Testing and enabling SSO

To test and enable Single-Sign-On:

  • Browse to the Flare Team page and check the Enable option. Do not make it mandatory for now.
  • Log out from Flare
  • Attempt to log back in by choosing Log in with SSO. You should get redirected to your identity provider for authentication. In the case where you are already connected, you should be instantly redirected to Flare's home page. If you were not connected, your identity provider will ask for your credentials



Document image

  • If succesful, you can browse back to the Team page and set SSO as Mandatory. From this point on, users in your organization will only be able to log in with that method, and password authentication will be disabled.



Configuring Microsoft Azure Entra ID

Flare requires 2 values from Azure AD in order to use it as an identity provider.

To obtain the Metadata URL

  • For a default Azure Entra ID installation :
    • Browse to your Azure Active Directory in your Azure Portal.
    • In the left menu, click on App Registrations.
    • Click on Endpoints.
    • Copy the value of the Federation metadata document and paste it in the Metadata URL in the Flare configuration page.
  • If you've customized claims:
    • Proceed with the next steps.

For the Mapping Email, which is used to map the Flare email to a matching attribute in your SAML identity provider, simply use the value below for a default Azure Entra ID installation. If you are unsure what to use here, please contact your Azure Entra ID administrator.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Available claim types can be found here.

Once both values are entered in Flare, click Save.

Next, Flare must be registered in Azure AD to be used as a provider.

  • Go to Azure Active Directory.
  • Go to App Registrations.
  • Click on New Registration.
  • Enter:
    • For the app name: Firework
    • For the redirect URI: https://sso.firework.flared.io
  • Click on Register.
Document image

  • In the Essentials section, click on Add an Application ID URI.
  • At the top left, click on Add.
  • Set the Application ID URI to the value below and click Save
    • urn:amazon:cognito:sp:us-east-1_EdS7l4VuU
Document image


If you have customized claims, you might need to use a different Metadata URL. You can find it by:

  • Navigating to the app registration you just created.
  • Click on the Managed application in local directory link.
  • In the left sidebar, under Manage, Select Single sign-on.
  • If a new custom signing has been used, you should see a section called Certificates.
  • Copy the value from Federation metadata document.
  • Set the value Metadata URL in Flare to the value you just copied.

Azure Entra ID should now be correctly configured.

Configuring Okta

Flare Settings:

  • Metadata URL: Taken from Okta in the "Sign On" subtab of the application
  • Mapping Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Okta Settings:

  • Single sign-on URL: https://sso.firework.flared.io/saml2/idpresponse
  • Audience URI: urn:amazon:cognito:sp:us-east-1_EdS7l4VuU

Then, create an additional Attribute Statement:

  • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • Format: Basic
  • Value: user.email



Configuring JumpCloud

JumpCloud Config

App Creation

  • User Authentification -> Add New Application -> Custom Application
  • Custom Application Features:
    • Manage Single Sign-On (SAML)
  • Save Application

App Config

  • SP entity ID: urn:amazon:cognito:sp:us-east-1_EdS7l4VuU
  • ACS URL: https://sso.firework.flared.io/saml2/idpresponse
  • SAMLSubject NameID: email
  • SAMLSubject NameID Format: urn:oasis:names:SAML:1.1:nameid-format:unspecified
  • Declare Redirect Endpoint: Yes

Creating a user attribute

  • Service Provider Attribute Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • JC Attribute Name: email

Flare Config

  • Metadata URL: Obtain from Copy Metadata URL in JumpCloud.
  • Mapping Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Related Articles