This documentation will help you integrate your identity services with Fuze offered by FuzeBox through Internet2's NET+ program. Associated portions of the NET+ Identity Guidance for Services are noted by section.
Discovery and Authentication
In the client, a user selects that they want to use SAML-based authentication and then types in a vanity URL that is hosted by Fuze. This URL is associated by Fuze with the organization and its identity provider. This URL must take the form of https://organization.fuze.me/login.
By default, anyone can attend a Fuze meeting, but the individual scheduling a meeting must have an account. The host of a meeting is able to selectively accept users to a meeting that is in progress.
Attributes
Fuze expects to receive a first name, a last name, and a primary identifier that takes the form of user@domain. The below are the default SAML attribute mappings to attributes as understood by Fuze.
Fuze Attribute |
Recommended SAML Attribute Name |
Optional |
|---|---|---|
firstName |
urn:oid:2.5.4.42 |
No |
lastName |
urn:oid:2.5.4.4 |
No |
Principal Identifier |
urn:oid:1.3.6.1.4.1.5923.1.1.1.6 |
No |
displayName |
urn:oid:2.16.840.1.113730.3.1.241 |
Yes |
subscription (entitlement) |
urn:oid:1.3.6.1.4.1.5923.1.1.1.7 |
Yes |
Fuze expects to receive these attributes with a SAML nameFormat of urn:oasis:names:tc:SAML:2.0:attrname-format:basic.
The SAML names for these attributes are configurable and Fuze is able to perform transformation of attribute values received in order to satisfy these required fields. Fuze prefers that the recommended names and values are used when possible.
Email notifications may be sent to the user identifier in very rare events.
Fuze maps SAML users to organizations based on the identity provider used. User attributes as persisted by Fuze will be updated when a user authenticates with the same identifier. Fuze must be explicitly informed when a user identifier as persisted by Fuze needs to be changed.
Privileges
Fuze allows deployers to manage user privileges by supplication of a "subscription" for any given user.
The scheduler of a meeting is typically the host of a meeting.
Provisioning
Users are typically provisioned to Fuze using dynamic front channel provisioning (3.1). Fuze is also able to provision user representations in a back channel using a CSV file or other mechanism if an organization prefers.
Deprovisioning
Fuze has a custom API that allows for user attributes to be changed in the representation of the user persisted by Fuze and can either disable or delete users. Disabling users is preferred to deleting users.
Logout
Users sessions expire either after four hours or when the Fuze client application is closed. The Fuze session is not tied to the user's IdP session.
Implementation
Fuze uses PySAML2.
Metadata Support
Fuze is able to consume metadata supplied directly by an identity provider.
Non-Browser Access
Fuze provides services by way of a client application for many platforms which is aware of SAML and able to perform user authentication through standard web-based mechanisms. This client interacts with the identity provider using a web browser provided by the operating system and in some situations can thus leverage an SSO session.
Native mobile device applications behave the same way as desktop applications.
Example Configuration for SAML Implementations
Add to relying-party.xml:
Add to attribute-filter.xml: