FogBugz supports Single Sign-On (SSO) integration with SAML 2.0 compliant identity providers. There are a number of services that support SAML 2.0 and integrate with LDAP (e.g. Okta, OneLogin, and ClearLogin). Instead of using a service, you can configure your own identity provider which integrates with your LDAP configuration (e.g. Shibboleth or SimpleSAMLphp). Active Directory supports SAML 2.0 SSO via ADFS.

When configuring the trust relationship with your identity provider, many of the values will vary depending on the URL you use to access FogBugz. The format for the metadata is below.

What You’ll Need to Tell FogBugz About Your SAML Identity Provider

On the FogBugz side, we will require two values to configure SAML authentication, both of which should be supplied by your identity provider.

  • The SSO URL where FogBugz should redirect unauthenticated users to sign in
  • The public x.509 certificate used by your SAML Identity Provider to sign requests

What You’ll Need to Tell Your SAML Identity Provider about FogBugz

  • The EntityID (sometimes called “Audience”) for FogBugz will be:
    • FogBugz On Site: http://{site name}.{host}/saml-sp (https if using SSL).
    • FogBugz On Demand: https://{your-fogbugz-domain}.fogbugz.com/saml-sp.
  • The Assertion Consumer Service URL will be:
    • FogBugz On Site: http://{site name}.{host}/auth/SAML2/POST (https if using SSL).
    • FogBugz On Demand: https://{site name}.fogbugz.com/auth/SAML2/POST

In addition, your SAML Identity Provider must send one of the following attributes as part of the assertion in the POST request to FogBugz:

  • FogBugzFullName: This must match the full name for the user you create in FogBugz.
  • FogBugzEmail: This must match the email address for the user you create in FogBugz.

Please note that each attribute must be unique in order to map a single FogBugz User to the SAML Identity. FogBugz enforces this for Full Name, and allows multiple users to exist with the same email address. If you’re using the FogBugzEmail attribute to authenticate via SAML, the email address sent by your SAML Identity Provider must be unique in FogBugz. If both the FogBugzFullName and FogBugzEmail attributes are sent, only the FogBugzFullName attribute will be used by FogBugz.

Enabling SAML SSO

Any Admin user can enable SAML SSO Authentication for FogBugz by navigating to the Gear Menu > Site Configuration > Authentication. From the Authentication Mode dropdown, choose either “Username and Password or SAML Authentication” or “SAML Authentication” and then configure SAML with the information above.

If you’d like help configuring SAML with FogBugz, please contact us.