Configuring SAML2 in flowdit: A Step-by-Step Guide

flowdit supports SAML2-based Single Sign-On (SSO) to simplify user authentication via Microsoft Entra ID (formerly Azure AD). This guide walks you through the process of configuring SAML2 in flowdit.

1. How to Start Configuring SAML2 in flowdit?

To begin, navigate to your Microsoft Entra ID portal and create a new Enterprise Application for SAML-based Single Sign-On.

You will need to retrieve the following URLs from flowdit's SAML2 settings:

• Login URL
• Logout URL
• Federation Metadata URL

2. Required URLs for Microsoft Entra ID Configuration

When configuring the application in Microsoft Entra ID, set the following URLs:

• Login URL:

  https://api.flowdit.com/api/<your-organization>/auth/saml2/login
  

• Logout URL:

  https://api.flowdit.com/api/<your-organization>/auth/saml2/logout
  

These URLs are available in the flowdit SAML2 settings.

3. Configuring Attributes and Claims in Microsoft Entra ID

Under the Attributes & Claims section, configure the following mappings to ensure seamless user authentication:

• Email Address: user.userPrincipalName
• First Name (Given Name): user.givenName
• Last Name (Surname): user.surname
• Unique User Identifier: user.userPrincipalName
  

Ensure each claim matches the corresponding namespace, such as:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims

4. Setting Up Federation Metadata in flowdit

After configuring claims, download the App Federation Metadata URL from Microsoft Entra ID. This URL enables flowdit to retrieve SAML configuration automatically.

To connect the metadata in flowdit:

1. Navigate to Organization setting (Auth tab) and click on configure button  in SAML2 provider.
2. Paste the Federation Metadata URL into the Metadata URL field.
3. Map the Identity Provider attributes as follows:
   • Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
   • First Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
   • Last Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
4. Click Save to complete the integration.
   

5. Testing the SAML2 Integration

To test the SAML2 configuration:

1. Log out of flowdit if you are already signed in.
2. Click "Sign In with SSO" on the flowdit login page.
3. You will be redirected to the Microsoft login page.
4. Log in with your organization’s admin credentials.
5. After successful authentication, you will be redirected back to flowdit.

6. Enabling Just-In-Time (JIT) Provisioning

flowdit supports Just-In-Time (JIT) provisioning, which automatically creates user accounts upon their first SSO login. This feature eliminates the need for manual user creation.

To enable JIT provisioning, toggle the JIT Provisioning option in the flowdit SAML2 settings.

7. Enforcing SSO for All Users

To make SSO mandatory for all users, enable the Require SSO option in flowdit’s SAML2 settings. Once enabled, all users must log in using SSO credentials.

8. Disabling or Replacing the SAML2 Configuration

If you disable SAML2 by setting Enable SSO to No, users will no longer be able to log in via SSO.

Replacing the configuration will remove existing settings and require reconfiguration from scratch.

By following these steps, you can successfully integrate SAML2 SSO in flowdit, enhancing security and user experience across your organization.