• EN
Question

FME server and SAML

  • 22 August 2023
  • 8 replies
  • 57 views
J
Badge +1

The municipality of Eindhoven intends to change the current way of 'authentication' to 'SAML' authentication.

The current way of authenticating is based on 'Windows Active Directory'.

Within Eindhoven we use the publishing of FME Desktop scripts to FME server via the so-called 'FMEServerJobSubmitter'.

This is based on an Active Directory account.

FME version 2022.2.1

 

On the Safe website we find several articles that authentication within an FME flow via SAML does not support a number of transformers.

One of them is the 'FMEServerJobSubmitter'.

 

Two possible 'workarounds' are mentioned.

We do have some questions about this. Hopefully someone can comment on this.

 

1.    Use a System Account

FME Server can consist of both SAML and system user accounts. Consider creating a system user account whose credentials can be shared with those users who author workspaces in FME Desktop. This account can be used to create the web connection for FME Server transformers. 

• Eindhoven works with AD accounts in FME desktop.

Is the above workaround applicable?

• Is this solution based on a single system user account?

• Or is it possible to use multiple system user accounts?

This is the desirable situation given various rights/roles on the FME server

• Does this solution have an added value because you continue to work with AD accounts on FME desktop, and have a SAML authentication on the FME server.

 

 

2 .  Use FME Server Automations

The FME Server Automations framework intends to provide equivalent, if not more powerful functionality as FME Server transformers. Consider migrating existing workflows that contain these transformers to Automations, and going forward create Automations as opposed to leveraging FME Server transformers in your workspaces.  

 

• The above workaround seems possible.

Impact is significant.

Customize all scripts for various user groups.

 

All in all, further research shows that a transition to SAML authentication has quite an impact on the FME desktop and server setup.

As a supplier/customer or client , do you have experience and advice on how and when you can best switch to SAML authentication?  

 

Best regards and thanks in advance for a reply.

 

John van der Kleijn

municipality Eindhoven

8 replies

richardatsafe
Rank
Badge +10

Hi @jvdkleijn_ehv​ ,

 

If you want to make a case we would be happy to set up a call and discuss this with you in more detail, but I'll try to hit a few points that may help answer your questions.

 

Using a System Account for the FME Server Job Submitter (FSJS)

  • System Accounts, LDAP, and SAML accounts can be used side by side in FME Server
  • The account used in the FSJS is not the same account that is used for running the process. Typically this does not need to be tied to a ldap or saml account since this is a process within FME that sits aside from the authentication to use FME, which is why a custom systems account can work well for this transformer.
  • You can have multiple system accounts with different privileges for different groups.
  • Often we see a separation between those authoring the workflows and those administering FME Flow. So while the author may design the workflow it's an admin who will implement it and design the workflows / job routing on FME Flow. This is the point where an admin could put in a system account with only the privileges needed.

 

Using Automations (Although this may take more time to implement there are advantages)

  • Better logging
  • Better job submission control
  • Automations do not use an engine to run (the jobs they run do)

 

Switching to SAML

  • Switching to SAML can be a bit of a process as user will have to be recreated and have a roles applied manually. We suggest using Role-based permissions so user permissions can be easily maintained. If you currently using a system role or a ldap role these roles can be used as templates for the SAML accounts to make permissions easier. You will have to make sure you know which user belongs to which group and manually assign them to that group within the FME Flow system though.

 

 

J
Badge +1

Hi @jvdkleijn_ehv​ ,

 

If you want to make a case we would be happy to set up a call and discuss this with you in more detail, but I'll try to hit a few points that may help answer your questions.

 

Using a System Account for the FME Server Job Submitter (FSJS)

  • System Accounts, LDAP, and SAML accounts can be used side by side in FME Server
  • The account used in the FSJS is not the same account that is used for running the process. Typically this does not need to be tied to a ldap or saml account since this is a process within FME that sits aside from the authentication to use FME, which is why a custom systems account can work well for this transformer.
  • You can have multiple system accounts with different privileges for different groups.
  • Often we see a separation between those authoring the workflows and those administering FME Flow. So while the author may design the workflow it's an admin who will implement it and design the workflows / job routing on FME Flow. This is the point where an admin could put in a system account with only the privileges needed.

 

Using Automations (Although this may take more time to implement there are advantages)

  • Better logging
  • Better job submission control
  • Automations do not use an engine to run (the jobs they run do)

 

Switching to SAML

  • Switching to SAML can be a bit of a process as user will have to be recreated and have a roles applied manually. We suggest using Role-based permissions so user permissions can be easily maintained. If you currently using a system role or a ldap role these roles can be used as templates for the SAML accounts to make permissions easier. You will have to make sure you know which user belongs to which group and manually assign them to that group within the FME Flow system though.

 

 

Hi Richard, Thank you very much for your extensive response. My picture is already pretty complete. For me as a functional administrator, it is now clear that an adjustment from LDAP to SAML between FME desktop and server has a considerable impact. I am therefore happy to accept your offer to discuss this further via a 'call'. One of our technical administrators who will support the SAML implementation will join us. I am going to go through the answer given with him and prepare our questions. You will also have the opportunity to view our FME situation. I'll be on vacation for the next two weeks. I therefore propose to schedule the call after Wednesday 20 September. Is this possible for you via Microsoft Teams, or do you have another solution for setting up a call? And of course we have to plan a suitable time. If I am right, it is 9 hours later with you than in the Netherlands. The meeting could then be scheduled around 8:00 a.m. at the earliest. With us it is then 17.00 hours. But of course it can also be a little later eg at 19.00 hours. With you it is then 10.00 am. Let us know what suits you best in terms of day and time. I have to consult with our technical management department to see if this suits them. Best regards,
richardatsafe
Rank
Badge +10
Hi Richard, Thank you very much for your extensive response. My picture is already pretty complete. For me as a functional administrator, it is now clear that an adjustment from LDAP to SAML between FME desktop and server has a considerable impact. I am therefore happy to accept your offer to discuss this further via a 'call'. One of our technical administrators who will support the SAML implementation will join us. I am going to go through the answer given with him and prepare our questions. You will also have the opportunity to view our FME situation. I'll be on vacation for the next two weeks. I therefore propose to schedule the call after Wednesday 20 September. Is this possible for you via Microsoft Teams, or do you have another solution for setting up a call? And of course we have to plan a suitable time. If I am right, it is 9 hours later with you than in the Netherlands. The meeting could then be scheduled around 8:00 a.m. at the earliest. With us it is then 17.00 hours. But of course it can also be a little later eg at 19.00 hours. With you it is then 10.00 am. Let us know what suits you best in terms of day and time. I have to consult with our technical management department to see if this suits them. Best regards,

Sounds good. We can work on scheduling a call through the case. You can put "attention Richard" in the case and I'll be sure to grab it.

mgg_beca
Rank
Badge +7

Hi @jvdkleijn_ehv​ ,

 

If you want to make a case we would be happy to set up a call and discuss this with you in more detail, but I'll try to hit a few points that may help answer your questions.

 

Using a System Account for the FME Server Job Submitter (FSJS)

  • System Accounts, LDAP, and SAML accounts can be used side by side in FME Server
  • The account used in the FSJS is not the same account that is used for running the process. Typically this does not need to be tied to a ldap or saml account since this is a process within FME that sits aside from the authentication to use FME, which is why a custom systems account can work well for this transformer.
  • You can have multiple system accounts with different privileges for different groups.
  • Often we see a separation between those authoring the workflows and those administering FME Flow. So while the author may design the workflow it's an admin who will implement it and design the workflows / job routing on FME Flow. This is the point where an admin could put in a system account with only the privileges needed.

 

Using Automations (Although this may take more time to implement there are advantages)

  • Better logging
  • Better job submission control
  • Automations do not use an engine to run (the jobs they run do)

 

Switching to SAML

  • Switching to SAML can be a bit of a process as user will have to be recreated and have a roles applied manually. We suggest using Role-based permissions so user permissions can be easily maintained. If you currently using a system role or a ldap role these roles can be used as templates for the SAML accounts to make permissions easier. You will have to make sure you know which user belongs to which group and manually assign them to that group within the FME Flow system though.

 

 

Hi @richardatsafe​ ,

 

Sorry to hijack this post, but just wanted to clarify a point. You say:

"You will have to make sure you know which user belongs to which group and manually assign them to that group within the FME Flow system though."

 

Does this mean that FME Flow can not utilise AD Groups through SAML? I have just implemented SAML in our FME Flow install and I cannot get my users to be added to their associated SAML Groups.

 

Thanks,

Marc

richardatsafe
Rank
Badge +10

Hi @richardatsafe​ ,

 

Sorry to hijack this post, but just wanted to clarify a point. You say:

"You will have to make sure you know which user belongs to which group and manually assign them to that group within the FME Flow system though."

 

Does this mean that FME Flow can not utilise AD Groups through SAML? I have just implemented SAML in our FME Flow install and I cannot get my users to be added to their associated SAML Groups.

 

Thanks,

Marc

Hi @mgg_beca​ ,

 

Yes, that is correct. The SAML configuration will not import groups. It only adds users from the SAML IDP on their first login. You would have to make system groups in FME Flow and then assign those users to a specific group once they log in. That being said the direct AzureAD integration will allow you to import groups and all the associated users within it.

mgg_beca
Rank
Badge +7

Hi @richardatsafe​ ,

 

Sorry to hijack this post, but just wanted to clarify a point. You say:

"You will have to make sure you know which user belongs to which group and manually assign them to that group within the FME Flow system though."

 

Does this mean that FME Flow can not utilise AD Groups through SAML? I have just implemented SAML in our FME Flow install and I cannot get my users to be added to their associated SAML Groups.

 

Thanks,

Marc

OK thanks for confirming that

J
Badge +1
Hi Richard, Thank you very much for your extensive response. My picture is already pretty complete. For me as a functional administrator, it is now clear that an adjustment from LDAP to SAML between FME desktop and server has a considerable impact. I am therefore happy to accept your offer to discuss this further via a 'call'. One of our technical administrators who will support the SAML implementation will join us. I am going to go through the answer given with him and prepare our questions. You will also have the opportunity to view our FME situation. I'll be on vacation for the next two weeks. I therefore propose to schedule the call after Wednesday 20 September. Is this possible for you via Microsoft Teams, or do you have another solution for setting up a call? And of course we have to plan a suitable time. If I am right, it is 9 hours later with you than in the Netherlands. The meeting could then be scheduled around 8:00 a.m. at the earliest. With us it is then 17.00 hours. But of course it can also be a little later eg at 19.00 hours. With you it is then 10.00 am. Let us know what suits you best in terms of day and time. I have to consult with our technical management department to see if this suits them. Best regards,

 We want to set up a call to discuss the SAML connection via a ‘call’.

 

One of our technical administrators who will support the SAML implementation will join us.

Is this possible for you via Microsoft Teams, or do you have another solution for setting up a call?

A suitable date and time for us would be:

Monday 2 October or Tuesday 3 October

Our time: 19.00  pm

With you it is then 10.00 am.

Does this suit you?

And how can we establish the call?

richardatsafe
Rank
Badge +10
Hi Richard, Thank you very much for your extensive response. My picture is already pretty complete. For me as a functional administrator, it is now clear that an adjustment from LDAP to SAML between FME desktop and server has a considerable impact. I am therefore happy to accept your offer to discuss this further via a 'call'. One of our technical administrators who will support the SAML implementation will join us. I am going to go through the answer given with him and prepare our questions. You will also have the opportunity to view our FME situation. I'll be on vacation for the next two weeks. I therefore propose to schedule the call after Wednesday 20 September. Is this possible for you via Microsoft Teams, or do you have another solution for setting up a call? And of course we have to plan a suitable time. If I am right, it is 9 hours later with you than in the Netherlands. The meeting could then be scheduled around 8:00 a.m. at the earliest. With us it is then 17.00 hours. But of course it can also be a little later eg at 19.00 hours. With you it is then 10.00 am. Let us know what suits you best in terms of day and time. I have to consult with our technical management department to see if this suits them. Best regards,

Hi @jvdkleijn_ehv​ ,

If you can create a case that would be the best way to arrange a call.

Reply


Community Stats

28,866
Posts
109,982
Replies
36,671
Members
Terms & ConditionsCookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.