This article has been created for : IT departments and Superusers.
Security Assertion Markup Language (SAML) is an open-standard data format for exchanging authentication and authorization data between parties: authentication between an identity provider IdP (client) and a service provider SP (Borealis). This standard process makes it possible to log users into applications based on sessions in another context.
With SAML, the client manages all aspects of authentication, including: first name, last name, username, password, password strength, etc.
How does SAML work?
When users try to connect to the Borealis Application, there is a redirection toward the login page of the federation: authentication is thus completed at this level. Once authenticated, the user is automatically redirected to Borealis.
Why SAML?
SAML login standard has several advantages, including:
- Standardization of connection information
- No new username or password required
- Client manages the password strength
- Client remains sole manager of passwords and users main information
- SAML allows single sign-on (SSO) and single log-out (SLO)
- Eases the users experience with any application
Create users with SAML in Borealis
User rights are managed directly in the application by your Borealis Superuser(s). Borealis uses auto-creation process so users are automatically created and updated after their first login. It is also possible to configure the federation in the client network for SSO: when users are connected to the federation, they are also automatically connected to Borealis.
What it means for Superusers
If the auto-creation option is not activated, Superusers can create users as usual. If you have more than one authentication sources configured (some users are using SAML while others, like contractors, don't) the field "Authentication source" must be filled out, and the SAML option must be selected for SAML users.
When creating a SAML user, there is no name or password to record. This information will be generated automatically by your federation.
To avoid discrepancies, make sure to follow your internal guidelines and nomenclature if a username needs to be associated to the user. It can either be a username (e.g. johndoe) or the user email address.
Note that with a SAML integration, it is not possible to reset a password from Borealis or to invite a new user.
Projects and profiles are to be associated as usual.