SAML-based single sign-on (SSO) gives members access to Fulcrum through an identity provider (IdP) of your choice. SSO is available on Fulcrum Enterprise accounts and can be enabled by your Account Manager.
What to Expect after Enabling SSO
Fulcrum supports a mixed environment of both managed (SSO) and unmanaged (Standard Fulcrum login) users.
- Existing unmanaged members can be migrated to managed members if they are not members of any other Fulcrum Organizations.
- SSO managed members can have the same email as existing Fulcrum system (unmanaged) members.
- Only members with an Owner system role can add unmanaged members once SSO has been enabled.
Step 1: Configure your Identity Provider
To set up SSO for your Fulcrum organization, you'll need to create a connection between Fulcrum and your IdP. Fulcrum SSO can be configured to use any IdP that supports the SAML 2.0 specification.
- Fulcrum supports Service Provider (SP) and Identity Provider (IdP) Initiated SSO.
- Fulcrum supports Just In Time (JIT) user provisioning.
- Fulcrum expects the following attributes in the SAML response:
roleattribute is optional and will default to Fulcrum's default role if omitted.
Step 2: Exchange Metadata
Once your IdP is configured, send your SAML metadata to your Fulcrum Account Manager. We will establish a domain for your organization, ingest your metadata and provide the appropriate metadata for your IdP.
Remote System Parameters
- SAML Endpoint URL (Identity Provider URL)
- SAML Identity Provider Issuer (also called IdP Entity ID) (Optional)
- SAML Public X.509 Certificate
- SAML Entity ID (Issuer)
- SAML Single Sign On URL (Assertion Consumer Service URL) (ACS URL)
- SAML Sign on URL (Shareable URL to Sign in to Fulcrum)
Step 3: Authenticate via SSO
Once SSO has been configured, you can authenticate to Fulcrum via your IdP on both the web and mobile apps. We can also optionally set a SAML timout value to force authentication at a preset interval.