SAML

Before You Begin

Navigate to Admin > System Configuration > SAML

About the Task

Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their sessions in an external Identity Provider (IdP). An IdP is a system entity that creates, maintains, and manages identity information for users while providing authentication services to relying applications within a federation or distributed network. The identity provider acts as an authentication provider only. Trusted SAML metadata ensures a secure transaction between a SAML identity provider (IdP) and a service provider.

The SAML page

Procedure

In order to use this functionality, a user must first be created by an administrator. Non-existent or deleted users will not be able to log in via SAML, and the same applies to users disabled in SAML. If they already exist within Pliant as local users with respective passwords but are still disabled, they can only log in locally.

The next step is to enable SAML.

When SAML is enabled under a local policy, a newly created user automatically assumes two default roles that remain in place for each subsequent login: “everyone” and “role1”. This applies as long as the Identity Provider (IdP) mapping setting remains inactive.

Enabling IdP mapping introduces IdP groups.

A newly created user will acquire the roles “Pliant_Role_group1” and “everyone”. Already existing users are not affected by their first login via SAML but next time they access the system this way, they lose their assigned roles and acquire “Pliant_Role_group1” and “everyone”. In case a new or an existing user is not part of an identity provider group, he will assume the “everyone” role after their second login via SAML.

IdP users can participate in two groups at the same time. Upon creation and first login, they lose their current roles and assume “Pliant_Role_group1”, “Pliant_Role_group2”, and “everyone”.

Users removed from IdP are removed from identity provider groups and will not be able to log in with SAML. If local, users can still access Pliant with their respective passwords, and their currently assigned roles are not revoked. The same applies even if SAML was used and later disabled.

Setting Up

In order to set up SAML, the user must first check whether the URLs on the right are correct. You will need to provide these fields to your IdP as you configure it to work with Pliant.

Then, tick the Enable SAML checkbox and fill out the following settings.

Setting

Description

Format

Pliant will get all the IDP metadata either from a given URL or XML.

Identity Provider Metadata URL/XML

The URL/XML for the identity provider metadata.

Button text

The text you want displayed on the SAML button.

Username attribute

The attribute names (SAML claims) returned from the IdP for username.

First name attribute

The attribute names (SAML claims) returned from the IdP for first name.

Last name attribute

The attribute names (SAML claims) returned from the IdP for last name.