Settings - SAML Setup
Overview
There are multiple ways that a Tulip account can be configured to work with an external identity provider. These options are detailed on the Enterprise Authentication page.
If a Tulip account is configured by a Tulip engineer to utilize a SAML directory for both authentication and authorization of users (called SAML Control Mode), then a user with the Account Owner role will need to use this page to determine which SAML attributes will map to certain Tulip user properties.
This must be done before SAML users are able to successfully log in to Tulip.
Model/Page Connections
Create
- This interface allows you authenticate and authorize users in Tulip as soon as they log in with their SAML credentials. All user attributes will be determined by the mapping of SAML attributes to user properties in this interface.
Pages
This page can be accessed from:
User Permissions
Only users with "Account Owner" permissions can access this interface.
Account Settings Configuration
NOTE: SAML configuration settings only available with the samlConfigUI set to True
Enable SAML Logins - When toggled, users will be prompted to login through SSO provider when authenticating.
Identity Provider Configuration
Upload Identity Provider Metadata XML - Automatically fill the remaining fields based on a provider supplied metadata file.
| FIELD | DESCRIPTION |
|---|---|
| SSO Login URL | The URL for your IdP which users log in with. |
| SSO Logout URL | The URL for your IdP which users log out with. |
| Certificates | The certificates for your IdP server, used to verify SAML responses. Must be in PEM format. You may enter multiple certificates separated by blank lines. |
Authentication Options
Configure where and how users authenticate on your instance.
| FIELD | DESCRIPTION |
|---|---|
| Authentication Context Class | The method by which users authenticate. You can read more about authentication context classes in the OASIS SAML Authentication Context Specification. Options: Enable Authentication Method Matching and Disable Authentication Method Matching |
| Force Authentication | Whether or not to always require manual authentication in a given context. When in the "off" position, users may authenticate with an existing session. When in the "on" position, authentication will always require user interaction. Users can configure for Instance Login and Player registration, or Station Operator Login, or both. |
Attribute Mapping
Configure how you want to map your SAML user attributes to Tulip user profile fields.
| FIELD | DESCRIPTION |
|---|---|
| Name Attribute | The SAML attribute containing the user's display name. |
| Email Attribute | The SAML attribute containing the user's email address. |
| Badge Attribute | The SAML attribute containing the user's badge ID. |
Role Mapping
Configure what level of access in Tulip users should be given based on their SAML attributes.
Options:
- Tulip Default Role Mapping - All users will be assigned this role when they log in.
- Custom Role Mapping - Use your SAML attributes to determine what role to assign users when they log in.
If Custom Role Mapping has been selected:
- The SAML attribute containing role should be entered.
- Each value for the role attribute, and it's associated Tulip role should be mapped.
Workspace Mapping
Configure which workspace users should be placed in based on their SAML attributes. Note: Users who are assigned the Account Owner role have access to all workspaces. These users are not required to have any workspace-mapping SAML attributes.
Options:
- Tulip Default Workspace Mapping - All users will be placed in this workspace when they log in.
- Custom Workspace Mapping - Use your SAML attributes to determine what workspace to place users in when they log in.
If Custom Role Workspace has been selected:
- The SAML attribute containing Workspace should be entered.
- Each value for the workspace attribute, and it's associated Tulip Workspace should be mapped.
Access Control
Restrict access to Tulip based on SAML attributes.
Options:
- Access Attribute Optional - If a user does not have this SAML attribute, they will not be allowed to log in to Tulip. If left blank, any user in your organization will be allowed to log in to Tulip (as long as they have a role and workspace).
- Access Value Optional - If a user does not have the access attribute set to this value, they will not be allowed to log in to Tulip. If left blank, users may have any value in the attribute.
Attribute Update Behavior
Options:
- Tulip Control Mode - Users' Tulip role and workspace will only be updated from the IdP the first time they log in to Tulip. Users who are deactivated in Tulip will not be allowed to log in.
- Identity Provider Control Mode - Users' Tulip role and workspace will be updated from the IdP every time they log in to Tulip. Users who are deactivated in Tulip will be automatically reactivated if they successfully authenticate with the IdP.
Customization
Login Button Label Optional - Label shown on the SAML login button on Tulip login pages.
Tests
| ID | Name |
|---|---|
| QA-T292 | Settings SAML Config : 01 - Form shows an error when a non-SAML file is uploaded |
| QA-T293 | Settings SAML Config : 02 - Form shows an error when a non-XML file is uploaded |
| QA-T294 | Settings SAML Config : 03 - Upload IdP metadata file |
| QA-T295 | Settings SAML Config : 04 - Configure SAML Settings |
| QA-T298 | Settings SAML Config : 05 - Test Authentication |