Table of Contents
Security Assertion Markup Language (SAML) is an open standard for exchanging authorization data. SAML enables convenient Single Sign-On access to multiple applications through one authentication. Fleetio offers SAML-based Single Sign-On for several providers. This article demonstrates setup steps using Microsoft Azure.
Once enabled, users may log in via either SSO or the standard Fleetio credentials (username or email address and password). BOTH methods will be available.
PERMISSIONS: Only Account Owners and Administrators with the Manage SAML Connectors permission can manage Single Sign-On. See User Management Overview for more information.
Prepare for Setup
If you're on the Fleetio Professional or Premium plans, SAML is automatically enabled for your account.
- Navigate to your Account Menu > Settings > SAML Connectors to get started.
If you're on the Essential plan, SAML is available as an add-on feature.
- Contact sales@fleetio.com for details.
Azure Setup
Follow the directions below for Azure Single Sign-On setup. Utilize the reference links in each section if you need to refer to Azure's documentation directly.
Add an App to your Azure AD
- Go to your Azure Portal and click All Services on the left-side menu.
- Search for and click Enterprise Applications.
NOTE: Fleetio will not be found in the gallery, so you may bypass the step of browsing or searching for Fleetio.
- In the Enterprise Applications pane, select New Application.
- Click Create your Own Application, then:
- For “What's the name of your app?” enter a name for Fleetio (e.g. “Fleetio”).
- For “What are you looking to do with your application?” select Integrate any other application you don't find in the gallery.
- Click Create.
TIP: Reference Microsoft's Add an App to Your Azure AD article if you need further assistance with this step.
Configure Properties
- Click Properties on the left-side menu of your newly created app. This will open the Properties pane for editing and configuring your app.
- All apps will have at least four fields for configuring. Reference the chart below for guidance and make selections for the fields listed below. Then click Save.
- [Required] “Enabled for users to sign-in?” - Yes. Determines whether users assigned to the application can sign in.
- [Optional] Upload an image for your application
- [Required] “User assignment required?” - Determines whether users who aren't assigned to the application can sign in. Make a selection for this field.
- [Required] “Visible to users?” - Determines whether users assigned to an app can see it in My Apps and Microsoft 365 app launcher.
- [Optional] Notes - You can optionally use the notes field to add any information that is relevant for the management of the application in Azure AD.
TIP: Reference Microsoft's Configure Properties article if you need additional assistance with this step.
| Enabled for users to sign in? | User assignment required? | Visible to users? | Behavior |
|---|---|---|---|
| Yes | Yes | Yes | Assigned users can see the app and sign in. Unassigned users cannot see the app and cannot sign in. |
| Yes | Yes | No | Assigned users cannot see the app but they can sign in. Unassigned users cannot see the app and cannot sign in. |
| Yes | No | Yes | Assigned users can see the app and sign in. Unassigned users cannot see the app but can sign in. |
| Yes | No | No | Assigned users cannot see the app but can sign in. Unassigned users cannot see the app but can sign in. |
| No | Yes | Yes | Assigned users cannot see the app and cannot sign in. Unassigned users cannot see the app and cannot sign in. |
| No | Yes | No | Assigned users cannot see the app and cannot sign in. Unassigned users cannot see the app and cannot sign in. |
| No | No | Yes | Assigned users cannot see the app and cannot sign in. Unassigned users cannot see the app and cannot sign in. |
| No | No | No | Assigned users cannot see the app and cannot sign in. Unassigned users cannot see the app and cannot sign in. |
Assign Users to the App
- Click Users and groups on the left-side menu.
- Click Add user/group.
NOTE: Assigning groups (instead of individual users)is dependent on the Active Directory plan level. For example, group-based assignment requires Azure Active Directory Premium P1 or P2 edition. Groups in Azure are NOT the same as groups in Fleetio. For more information, see Microsoft's Active Directory plan levels and pricing.
- Search for and select the users or groups you’d like to assign Fleetio access to. You can make multiple selections, and they will appear under Selected items.
- Click the Select button at the bottom of the pane once you’ve finished adding users or groups.
- Click Assign on the bottom left of the screen.
TIP: Reference Microsoft's Assign Users to the App article if you need additional assistance with this step.
Enable Single Sign-On for the App
- Click Single Sign-On. Then click SAML to open the SSO configuration page. Leave the page as-is for now, we’ll come back to it.
- Open a new browser tab, log into Fleetio, go to your Account Menu, and select Settings.
- In the Settings sidebar, click SAML Connectors in the Integrations section.
- Click Metadata. Then on the metadata page that opens, right-click and select Save As and save the file to your computer.
TIP: Reference Microsoft's Enable Single Sign-On for the App article if you need additional assistance with this step.
Set up Single Sign-On with SAML
- Go back to your browser tab with the Azure Single Sign-On pane to configure single sign-on with SAML.
- Click Upload Metadata File and import the Fleetio XML metadata file that you saved earlier. Then complete the steps below for each section:
- Basic SAML Configuration section: Make sure the Sign-on URL is https://secure.fleetio.com/users/sign_in. Relay State and Logout URL are optional. See Microsoft's Azure AD's basic SAML configuration settings to learn more.
- User Attributes & Claims: When a user authenticates to Fleetio, Azure AD issues Fleetio a SAML token with information (or claims) about the user that uniquely identifies them. Fleetio just needs the email address.
- SAML signing certificate: Download the Federation Metadata XML and then go back to your Fleetio SAML connectors page.
- On the Fleetio SAML Connectors page, click Add SAML Connector in the top right.
- Click the Pick File button and upload the Federation Metadata file. Click Save SAML Connector.
- Log out of Fleetio and then go back to your Azure single sign-on configuration view.
- Test SAML-based SSO for the Fleetio Application: Click Test and select Sign in as Current User, Then, click Test Sign in.
TIP: Reference Microsoft's Single Sign-On with SAML article if you need additional assistance with this step.
Dynamically Provision Users (Optional)
Please note this step is optional.
- In Azure, navigate to Single Sign-On on the left side and click Edit in the Attribute & Claims section.
12.jpg)
- Click Add New Claim.
25.jpg)
- Create a new claim with the following:
- Name: first_name
- Source attribute: user.givenname
124.jpg)
- Click Save.
- Complete this process two more times with the following:
- Name: last_name
- Source Attribute: user.surname
- Name: email
- Source attribute: user.mail
- The final Additional Claims table should look similar to this:
255.jpg)
Additional Claims Accepted by Fleetio:
| Claim Name | Usage | Description |
|---|---|---|
| first_name | Create/Update | Contact first name |
| last_name | Create/Update | Contact last name |
| group | Create | Contact's group. If a hierarchy, use a pipe (|) to separate the groups. For example: Parent|Child |
| employee_number | Create/Update | Contact employee number |
| username | Create/Update | Custom username |
| classifications | Create/Update | Contact classifications, comma-separated. Possible values include: employee, technician, vehicle_operator |
| home_phone_number | Create/Update | Contact’s home phone number |
| work_phone_number | Create/Update | Contact’s work phone number |
| mobile_phone_number | Create/Update | Contact’s mobile phone number |
| other_phone_number | Create/Update | Contact’s other phone number |
Finalize Connector Setup
The last step in the process is to apply the SSO URL from Fleetio to your Azure account. This value contains an ID which does not exist until you complete the Fleetio portion of the setup procedure.
- After completing the Fleetio setup, return to Account Menu > Settings > SAML Connectors and click the Copy to Clipboard button.
- Take the SSO URL from Fleetio that you just copied and paste it into the Sign on URL field in Azure.
NOTE: A domain is required for SAML/SSO configuration. To request that a domain be added to your SAML connector, contact help@fleetio.com. Requests must come from the Fleetio Account Owner or Administrator.
Single Sign-On Enforcement
Once setup is complete, you can now enable Single Sign-On Enforcement to require users to sign in using SSO.
IMPORTANT: Ensure the SAML Single Sign-On process is working correctly prior to enabling this option.
To enable SSO Enforcement:
- Go to your Account Menu and select Settings.
- In the Settings sidebar, click Security in the User Access section.
- Check the box to Enforce SAML Single Sign-On (SSO). Do not check this box if you want users to have the option to sign in with either their Fleetio credentials or SSO.
- (Optional) To exclude specific Email addresses or Domains from SSO enforcement, enter them in the Email addresses excluded from SSO enforcement or Domains excluded from SSO enforcement fields.
NOTE: Enforce SAML Single Sign-On will apply to all users EXCEPT for the Account Owner and any Email addresses or Domains listed in their respective fields.
- Scroll to the bottom of the page and click the Save Security Settings button to save your changes.
NOTE: Once Enforce SAML Single Sign-On (SSO) is enabled, users will be required to use SSO on their next login.
