Skip to main content
Feedback

Installing the SAML Deprecated connector

warning

This connector is now in Deprecated status. It is no longer available for new users and is not actively maintained. We will provide a minimum six-month notice before its retirement. We recommend upgrading to the newer supported version of this connector.

To use the SAML Deprecated connector, you will first need to install the connector into your Flow tenant.

Step 1: Installing the SAML Deprecated connector

  1. Select Connectors from the main left-hand menu.
  2. Click New Connector.
  3. Select "SAML (Deprecated)" from the Connector Type menu.
  4. Enter a name for the connector in the Name field, "SAML connector" for example. The URL is shown in the Url field.
  5. Click Retrieve Connector Configuration Data.
  6. Specify the required configuration values. Refer to configuration values for details on the required values.
  7. Click Install.
  8. Click Save Connector.
  9. The connector is now installed.

Step 2: Certificate Decryption

The certificate is encrypted in the system, and needs to be decrypted before it is sent to the SAML connector.

  1. Open the Flow you wish to configure the certificate for.

  2. On the Home tab select API from the main menu.

  3. Enter api/draw/1/element/service?filter= into the API Address field.

  4. Click GET.

  5. The Response pane now contains the id for the SAML Deprecated connector. Copy this value.

  6. Enter api/draw/1/element/service/{service id} into the API Address field, replacing service id with the SAML connector id value copied previously.

    SAML connector id

  7. Click GET.

  8. Copy all the content in the Response pane and paste it into the Request pane.

  9. Set "sendDecryptedValues" to true in the Request pane content.

    sendDecryptedValues

  10. Remove the service id from the API Address field so that it reads api/draw/1/element/service.

  11. Click POST.

Step 3: Define the IdP assertion package

In your IdP you will need to configure the assertion package to add the required claim attributes needed to identify the user by the Flow; this allows the Flow to understand the user information that is being sent by your IdP.

The following claim attributes will need to be added:

Claim AttributeDescriptionSystem user value
nameThe first name of the user.The following claim attribute naming conventions are accepted: name, firstname, first_name, first name, givenname, given_name, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameUse in a Flow through the $User/First Name system user value.
surnameThe surname of the user.The following claim attribute naming conventions are accepted: surname, sur_name, last name, last_name,lastname, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameUse in a Flow through the $User/Last Name system user value.
emailaddressThe email address of the user.The following claim attribute naming conventions are accepted: email, emailaddress,email_address, mail,http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressUse in a Flow through the $User/Email system user value.
groupsGroup(s) that the user is a member of. This attribute is optional, depending on your configuration.The following claim attribute naming conventions are accepted: groups, http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsGroups are concatenated into the $User/Primary Group Name system user value in comma-separated format. For example, 'GroupA,GroupB,GroupC'. Where the SAML response contains both groups and primarygroupname attributes, the primarygroupname attribute takes priority and is set in the $User/Primary Group Name system user value.
primarygroupnameThe primary group name that the user is a member of. This attribute is optional, depending on your configuration. The following claim attribute naming conventions are accepted: primarygroupname, primary_group_name, primary group name, http://schemas.manywho.com/2020/identity/claims/primarygroupnameUse in a Flow through the $User/Primary Group Name system user value.
primarygroupidThe primary group ID that the user is a member of. This attribute is optional, depending on your configuration. The following claim attribute naming conventions are accepted: primarygroupid, primary_group_id, primary group id, http://schemas.manywho.com/2020/identity/claims/primarygroupiUse in a Flow through the $User/Primary Group ID system user value.
note

When using Active Directory Federation Services (ADFS) with SAML, the reply from ADFS may need to include the Name ID claims attribute for the configuration to work correctly.

Example SAML IdP response Attribute Statement

In this example, once a user has successfully logged in with their IdP, the SAML Response sent from the IdP to Flow should contain an Attribute Statement that identifes the user, as follows:

<saml:AttributeStatement>
    <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">First Name</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">Surname</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">group1</saml:AttributeValue>
        <saml:AttributeValue xsi:type="xs:string">group2</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="http://schemas.manywho.com/2020/identity/claims/primarygroupname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">Primary Group Name</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="http://schemas.manywho.com/2020/identity/claims/primarygroupid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">Primary Group Id</saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>
note

In the above example, the optional group information for the user has also been included, using the groups, primarygroupname, and primarygroupid Attributes.

On this Page