| HTML |
|---|
<div id="google_translate_element"></div>
<script type="text/javascript">
function googleTranslateElementInit() {
new google.translate.TranslateElement({pageLanguage: 'en'}, 'google_translate_element');
}
</script>
<script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit"></script> |
SAML Authentication
SAML is a Single Sign On (SSO) authentication method that uses an external identity provider to authenticate a user at their first login, saving a token to the user's browser that is then used for subsequent logins, so that the user does not need to re-submit credentials.
...
To use SAML authentication, you will need SAML set up for your instance with an Identity Provider (IdP), such as Microsoft ADFS, OneLogin, Elastic SSO, or others. You can view a list of available SAML IdPs at Wikipedia's SAML based products page.
| Info | ||
|---|---|---|
| ||
Some identity providers (such as Workspace One) have additional public/private key authentication requirements in excess of what is required in ProVision. If you receive a SAML configuration error of "Unable to load private key" or similar, please check your IdP requirements and documentation. |
Users and Permissions:
User credentials will need to be created and associated with ProVision permission group names via the IdP. All user creation, management and permissions handling occurs via the IdP, externally from ProVision.
...
You can test the configuration by clicking the "Test SAML Configuration" button, a new page will open giving health check information for your provided attributes.
| Info | ||
|---|---|---|
| ||
For some SAML providers it is not possible to have a user friendly group name. For example, while ProVision tries to match ProVision group names against Microsoft Azure group names, MS Azure exports group names like "abc-GFHEKJSHD-123". In these cases, you can set the "External ID" field for a group (in the below example "New Global Group") to be equal to "abc-GFHEKJSHD-123". Then, when logging in via SAML, ProVision will correctly recognize that the SAML User should be part of the “New Global Group” group.
To add an external ID, go to Admin → User Groups. Select a group to edit, enter the external ID, and click "Save". For more details on working with permissions groups see Working with Groups. |
SAML Login
Once the correct configuration has been established and users set up for SAML in the IdP, users will be able to use SAML logins.
...
From the ProVision login page, select SAML from the authentication options dropdown - you do not need to enter Username or Password.
You will be redirected to the IdP site as set up in the Admin Configuration - here, we are using Microsoft ADFS (Active Directory Federation Services).
...
After the initial login via the IdP (as long as the auth token is present) users will be able to login to ProVision simply by selecting the "SAML" options from the ProVision login page without entering credentials.
The auth token may be destroyed or not available if browser cookies have been cleared, a different browser used, or the browser fully closed, depending on security settings. In these cases, the user will need to sign in again via the IdP.
...