specs/routes/R_SAML

Settings - SAML Setup

Overview

There are multiple ways that a Tulip account can be configured to work with an external identity provider. These options are detailed on the Enterprise Authentication page.

If a Tulip account is configured by a Tulip engineer to utilize a SAML directory for both authentication and authorization of users (called SAML Control Mode), then a user with the Account Owner role will need to use this page to determine which SAML attributes will map to certain Tulip user properties.

This must be done before SAML users are able to successfully log in to Tulip.

Model/Page Connections

User

Create

  • This interface allows you authenticate and authorize users in Tulip as soon as they log in with their SAML credentials. All user attributes will be determined by the mapping of SAML attributes to user properties in this interface.

Pages

This page can be accessed from:

User Permissions

Only users with "Account Owner" permissions can access this interface.

Account Settings Configuration

NOTE: SAML configuration settings only available with the samlConfigUI set to True

Enable SAML Logins - When toggled, users will be prompted to login through SSO provider when authenticating.

Identity Provider Configuration

Upload Identity Provider Metadata XML - Automatically fill the remaining fields based on a provider supplied metadata file.

FIELDDESCRIPTION
SSO Login URLThe URL for your IdP which users log in with.
SSO Logout URLThe URL for your IdP which users log out with.
CertificatesThe certificates for your IdP server, used to verify SAML responses. Must be in PEM format. You may enter multiple certificates separated by blank lines.

Authentication Options

Configure where and how users authenticate on your instance.

FIELDDESCRIPTION
Authentication Context ClassThe method by which users authenticate. You can read more about authentication context classes in the OASIS SAML Authentication Context Specification. Options: Enable Authentication Method Matching and Disable Authentication Method Matching
Force AuthenticationWhether or not to always require manual authentication in a given context. When in the "off" position, users may authenticate with an existing session. When in the "on" position, authentication will always require user interaction. Users can configure for Instance Login and Player registration, or Station Operator Login, or both.

Attribute Mapping

Configure how you want to map your SAML user attributes to Tulip user profile fields.

FIELDDESCRIPTION
Name AttributeThe SAML attribute containing the user's display name.
Email AttributeThe SAML attribute containing the user's email address.
Badge AttributeThe SAML attribute containing the user's badge ID.

Role Mapping

Configure what level of access in Tulip users should be given based on their SAML attributes.

Options:

  • Tulip Default Role Mapping - All users will be assigned this role when they log in.
  • Custom Role Mapping - Use your SAML attributes to determine what role to assign users when they log in.

If Custom Role Mapping has been selected:

  • The SAML attribute containing role should be entered.
  • Each value for the role attribute, and it's associated Tulip role should be mapped.

Workspace Mapping

Configure which workspace users should be placed in based on their SAML attributes. Note: Users who are assigned the Account Owner role have access to all workspaces. These users are not required to have any workspace-mapping SAML attributes.

Options:

  • Tulip Default Workspace Mapping - All users will be placed in this workspace when they log in.
  • Custom Workspace Mapping - Use your SAML attributes to determine what workspace to place users in when they log in.

If Custom Role Workspace has been selected:

  • The SAML attribute containing Workspace should be entered.
  • Each value for the workspace attribute, and it's associated Tulip Workspace should be mapped.

Access Control

Restrict access to Tulip based on SAML attributes.

Options:

  • Access Attribute Optional - If a user does not have this SAML attribute, they will not be allowed to log in to Tulip. If left blank, any user in your organization will be allowed to log in to Tulip (as long as they have a role and workspace).
  • Access Value Optional - If a user does not have the access attribute set to this value, they will not be allowed to log in to Tulip. If left blank, users may have any value in the attribute.

Attribute Update Behavior

Options:

  • Tulip Control Mode - Users' Tulip role and workspace will only be updated from the IdP the first time they log in to Tulip. Users who are deactivated in Tulip will not be allowed to log in.
  • Identity Provider Control Mode - Users' Tulip role and workspace will be updated from the IdP every time they log in to Tulip. Users who are deactivated in Tulip will be automatically reactivated if they successfully authenticate with the IdP.

Customization

Login Button Label Optional - Label shown on the SAML login button on Tulip login pages.

Tests

IDName
QA-T292Settings SAML Config : 01 - Form shows an error when a non-SAML file is uploaded
QA-T293Settings SAML Config : 02 - Form shows an error when a non-XML file is uploaded
QA-T294Settings SAML Config : 03 - Upload IdP metadata file
QA-T295Settings SAML Config : 04 - Configure SAML Settings
QA-T298Settings SAML Config : 05 - Test Authentication
QA-T1067Settings SAML Config : 06 - IdP Control Mode Setup

Requirements

No requirements