Path: Admin > User Management > Default SSO User Settings
The Default SSO User Settings window provides a central location to configure login behaviors for users authenticated with SAML that do not have an existing WebTMA account. Because of the level of control allowed, WebTMA recommends that only Administrator accounts be granted access to this window.
Each line shown in the grid on the window defines a behavior to be followed for the Group name specified. If the Group name is left blank, the behavior occurs for any unknown user connecting to WebTMA. The first matched (or blank) Group in order will be used. See the next topic, SSO Login Behavior, for details.
SSO Login Behavior
A User authenticated through an SSO system is first checked against the list of active user accounts in the WebTMA database. If a user account with a Login ID value matching the value in the authentication token is found, the user is logged in with that account.
If no corresponding user account is found, the additional user attributes (name, phone, e-mail, and group membership) included in the SAML assertion are examined. Based on the Group membership of the authenticated user, the process in the Default SSO User Settings window is followed from top to bottom. The first line with a Group Name matching one in the user’s membership list (or a blank group name value) determines the login behavior. This grants the User access to WebTMA in one of the following three ways:
- Connect As: The authenticated user is connected as the account specified in the User ID field. This is typically a Requestor account, but an account of any role can be selected.
- Create Requestor: A Requestor record and Requestor User account are created in WebTMA for the authenticated User. A Repair Center list must be specified to determine the Repair Centers that are linked to the Requestor record.
- Create User: A corresponding User account is created in WebTMA for the authenticated User. A Repair Center list must be specified on the line to define the Repair Centers that are linked to the User account.
User accounts for the Create User and Create Requestor behaviors are linked to User Groups in WebTMA by cross-referencing the Group membership list from the SSO provider with the Security Groups list in each WebTMA User Group. At least one matching User Group must be found for the account to be created.
If no matching behavior lines are found, the user receives an Invalid User ID message and is not logged in to WebTMA.
How to Add Default User SSO Settings
From the Default SSO User Settings window:
- Click the Add Item link to open the Default User Rule Entry flyout.
- Complete the required and elective fields.
- Click the Save button on the flyout.
Field Definitions for Default User Rule Entry Flyout
Order: Represents the order that each line should be considered before enforcing the behavior listed. If, for instance, a User was part of multiple Active Directory Groups, the first one in the order of the list would be the rule which affects that User.
Description: Description of the default being set.
Group Name: Group Name refers to the group in Active Directory.
Behavior:
- Connect as allows passing a User through a User ID selected in the User field that displays below.
- Create User allows creation of a User and selection of their related Repair Center if needed.
- Create Requestor allows creation of Requestor record and selection of their related Repair Center if needed.