Enterprise Authentication
The core use of enterprise authentication is to integrate with an existing identity provider (IdP) and provide an authentication service for users logging into Tulip and the Tulip Player.
SAML is a generic authentication protocol supported by a wide range of systems. In SAML terminology, Tulip is a Service Provider (SP), and your SAML software is the Identity Provider. The Identity Provider stores or federates information about users and what applications they have access to.
Tulip can use the SAML protocol to request information about users from the IdP when they log in. Tulip adheres to the SAML 2.0 specification.
Without SAML, users with "operator" roles log in through badge IDs as opposed to IdP username and password. Turning on the SAML integration provides a greater level of security.
To learn more about the available roles in Tulip, see this guide to User Roles.
Your identity provider must support the ForceAuthn argument from the SAML 2.0 specification.
Creating Standardized Access Groups
Every user will need a Role attribute specified in your IdP that Tulip uses to determine their privileges once they’ve authenticated with their IdP username and password. The role field can also be used to determine what sites they have access to using a standard naming convention.
While a role field can be mapped using existing group information, it is recommended that you assign the user to Tulip-specific groups and map those to an attribute.
Every user will need at least one role. If a user has multiple roles, Tulip will select the role with the highest level of access. A user can also have multiple roles for different sites.
At least one Account Owner must exist per site.
Identity Provider Configuration
Within the Account Settings page of the Tulip instance, the identity provider configuration details will need to be provided. You can opt to upload your IdP metadata XML to fill in these fields, but ultimately an SSO login and logout URL is needed, as well as the certificates for your IdP server to verify SAML responses. The certificates must be in PEM format.
Tulip's SAML SP certificates expire yearly. Tulip will reach out and notify customers two weeks prior to expiration to rotate the certificates.
Authentication Options
The authentication options section allows Account Owners to either set a specific authentication method for their Identity Provider to use when authenticating to Tulip, or to disable authentication method matching and allow the Identity Provider to select a method independently. You can read more about SAML authentication methods in the Authentication Context Classes section of the OASIS SAML Authentication Context Specification. By default, authentication method matching is enabled and the authentication method is set to Password Protected Transport.
Attribute Mapping
Once the IdP attributes have been configured, they can be mapped within Tulip. Three attributes are required: Name, Email, and Badge.
Role Mapping
There are two options for role mapping in Tulip: Tulip Default Role Mapping and Custom Role Mapping.
Tulip Default Role Mapping
Choose the default level of access to be either the Viewer role or Viewer with Player Access role. On first login, all users are given this level of access. The Account Owner must then adjust the roles of users to appropriate levels. The roles within Tulip will govern access from that point forward.
Custom Role Mapping
On first login, all users are assigned a role based on their IdP Role attribute. This is only for initial configuration - once a user has authenticated, Tulip will not directly read the Role attribute of the user again. Therefore, any role changes must be done within the platform by an Account Owner.
To configure custom roles, the naming convention used for the values within the Role attribute should be mapped to a standard Tulip role to be granted to the user. Each attribute value must be mapped to at most one Tulip role, but a given Tulip role may be mapped from more than one attribute value.
Access Control
Access Attribute
If a user does not have this SAML attribute, they will not be allowed to log in to Tulip. If left blank, any user in your organization will be allowed to log in to Tulip (as long as they have a role).
Access Value
If a user does not have the access attribute set to this value, they will not be allowed to log in to Tulip. If left blank, users may have any value in the attribute.
This is relevant for default mapping scenarios, where the userbase still needs definition of who can access Tulip, regardless of role or workspace.
Attribute Update Behavior
Tulip Control Mode is the default behavior where users' Tulip role and workspace are taken from the SAML attribute mapping only the first time they log in to Tulip, and users deactivated in Tulip are prevented from logging in. IdP Control Mode means that whenever a user successfully authenticates, they will be reactivated and their Tulip role and workspace will be updated from the IdP.
When Identity Provider Control Mode is enabled, editing a user's role and workspace in Tulip user settings is disabled. Additionally, this mode cannot be enabled simultaneously with Tulip Default Role Mapping.
Customization
The label on the login button for Tulip login pages can be customized. The default value is "SAML".
Workspaces Mapping
With Workspaces enabled, an additional set of attributes and mappings become available for access control. The two same options for mapping are present.
Tulip Default Workspace Mapping
On first login, all users are given access to a configurable default workspace. An Account Owner can then adjust Workspace access.
Custom Workspace Mapping
On first login, a user is assigned workspace access based on a defined Workspace attribute. Once a user has authenticated, Tulip will not directly read the Workspace attribute of the user again. Therefore, any workspace changes must be done within the platform by an Account Owner.
To configure custom Workspace mappings, the naming convention used for the values within the Workspace attribute should be mapped to a standard Tulip Workspace to be granted to the user. Each attribute value must have a unique mapping, but more than one Workspace may be mapped from a given attribute value.
Any Workspaces that do not have a mapping will not be accessible.
Automatic Log Out
Tulip supports IdP-initiated logout. If you want users to log out of all software services at once via a logout from your identity provider, Tulip will respond to that logout request.
Login Throttling
Login access will be disabled for approximately 10 minutes after 10 failed attempts.
History Records
In Tulip, common manufacturing assets such as batches, materials and assemblies are tracked as records in the Tables feature.
To view the full history of any of these records, including SAML usernames, a Tulip user must use the Record History Widget within the Tulip Player.
Tests
| ID | Name |
|---|---|
| QA-T112 | Signature Step : 07 - LDAP Signature Widgets should accept a correct username/password pair |
| QA-T119 | Group-Restricted LDAP : 01 - Sysadmin accounts can log in |
| QA-T120 | Group-Restricted LDAP : 02 - Users in the configured admin group can log in |
| QA-T121 | Group-Restricted LDAP : 03 - Users operator group can log in |
| QA-T122 | Group-Restricted LDAP : 04 / Admins should not be able to create Users |
| QA-T123 | Group-Restricted LDAP : 05 - Deactivated users should still be able to log in |
| QA-T170 | SAML : 01 - Sysadmin accounts can log in on SAML |
| QA-T171 | SAML : 02 - Admins can log in to Factory using SAML |
| QA-T172 | SAML : 04 - Operators can log into Player using SAML |
| QA-T173 | SAML : 05 - Operators should not be allowed to login to Factory on SAML |
| QA-T174 | SAML : 03 - Admins should be able to log into Player |
| QA-T292 | Settings SAML Config : 01 - Form shows an error when a non-SAML file is uploaded |
| QA-T293 | Settings SAML Config : 02 - Form shows an error when a non-XML file is uploaded |
| QA-T294 | Settings SAML Config : 03 - Upload IdP metadata file |
| QA-T295 | Settings SAML Config : 04 - Configure SAML Settings |
| QA-T298 | Settings SAML Config : 05 - Test Authentication |
| QA-T331 | LDAP Tulip Managed : 01 - Creating Users |
| QA-T332 | LDAP Tulip Managed : 02 - Users can log in via LDAP |
| QA-T333 | LDAP Tulip Managed : 03 - Deactivated Users can't Log In |
| QA-T651 | Signature Step : 07 / LDAP Signature Widgets should reject wrong/empty passwords |
| QA-T653 | LDAP Tulip Managed : 01 / Creating a User with the same name |
| QA-T655 | LDAP Tulip Managed : 02 / Operators can't log into Factory via LDAP |
| QA-T809 | Mobile - Register Tulip Player on SAML enabled site |
| QA-T829 | Signature Widget : 03 - Signing in LDAP, SAML |
| QA-T830 | Signature Widget : 03 / Denied signing in LDAP, SAML |
Requirements
| ID | Requirement |
|---|---|
| PLAT-8825 (23) | Ability to use biometric devices for login and authentication. |
| PLAT-8829 (26) | Ability to authenticate all defined users with a unique username and password using a single sign-on (eg. oAuth, LDAP, Active Directory, etc). |
| PLAT-8903 (821) | Ability to define access security levels for records and electronic signatures. Ie. user groups and user roles and their associated priveleges to system resources and data |