Manuscript supports Single Sign-On (SSO) integration with SAML 2.0 compliant identity providers. There are a number of services that support SAML 2.0 and integrate with LDAP (e.g. Okta, OneLogin, and ClearLogin). You can also configure your own identity provider which integrates with your LDAP configuration (e.g. Shibboleth or SimpleSAMLphp). Active Directory supports SAML 2.0 SSO via ADFS.

Please note: for Manuscript On Site, you will need to enable and force HTTPS connections in order to support ADFS.

When configuring the trust relationship with your identity provider, many of the values will vary depending on the URL you use to access FogBugz. The format for the metadata is below.

What You’ll Need to Tell Manuscript About Your SAML Identity Provider

Manuscript will require two values to configure SAML authentication, both of which should be supplied by your identity provider:

  • The SSO URL where Manuscript should redirect unauthenticated users to sign in
  • The public x.509 certificate used by your SAML Identity Provider to sign requests

What You’ll Need to Tell Your SAML Identity Provider

  • The EntityID (sometimes called “Audience”) for Manuscript will be:
    • Manuscript On Site: https://{site name}.{host}/saml-sp
    • Manuscript: https://{site name}
  • The Assertion Consumer Service URL will be:
    • Manuscript On Site: https://{site name}.{host}/auth/SAML2/POST
    • Manuscript: https://{site name}

In addition, your SAML Identity Provider must send one of the following attributes as part of the assertion in the POST request to Manuscript:

  • FogBugzFullName: This must match the full name for the user you create in Manuscript.
  • FogBugzEmail: This must match the email address for the user you create in Manuscript.

Please note that each attribute must be unique in order to map a single Manuscript User to the SAML Identity. Manuscript enforces this for Full Name and allows multiple users to share the same email address. If you’re using the FogBugzEmail attribute to authenticate via SAML, the email address sent by your SAML Identity Provider must be unique in Manuscript. If both the FogBugzFullName and FogBugzEmail attributes are sent, only the FogBugzFullName attribute will be used.

Enabling SAML SSO

Any Admin user can enable SAML SSO Authentication by navigating to your Avatar Menu > Site Configuration > Authentication. From the Authentication Mode drop-down, choose either “Username and Password or SAML Authentication” or “SAML Authentication” and then configure SAML with the information above.

If you’d like help configuring SAML with Manuscript, please contact us.