WebTMA 7 On-Premise SAML/SSO Configuration

WebTMA SAML Configuration
This document describes the process to configure SAML authentication for Single Sign‐On (SSO) with
WebTMA 7 in the On‐Prem environment on the WebTMA application server side. Examples are
provided for typical use cases, and additional configuration options can be found in the
“ComponentSpace SAML for ASP.NET Core Configuration Guide” document from the SAML library

WebTMA supports IdP‐Initiated and SP‐Initiated SAML SSO with HTTP POST binding.

The WebTMA 7 SAML configuration is typically found in the samlsettings.json file of the WebTMA
application root folder. It consists of a SAML object with a Configurations array containing a
configuration object for each client using SAML.


The following example includes a SAML configuration for one client:



  • The configuration “Id” value must match the client name used for sign in (typically in
  • The “AssertionConsumerServiceUrl” value must include a URL‐encoded version of the same
    client name in the “c” querystring parameter. The Assertion Consumer service can be found at
    the following URL:
    o https://<WebTMA Application>/SAML/ACS?c=<Client Name>
  • The “Name” values in the SP and IdP configurations are used as unique identifiers to validate
    source and target but do not need to be valid URLs.
  • The IdP partner certificates may be included in the client’s IdP metadata or provided directly.
    The public key certificate files should be placed in a “certificates” folder in the root of the
    WebTMA application and the file paths should be specified for each client as the example
    above. (Multiple certificates can be specified to allow for overlap near expiration dates.)
  • The “SingleSignOnServiceUrl” is only required for SP‐Initiated SAML and should be included in
    the client’s IdP metadata.
  • The “MappingRules” objects are used to remap attributes included in SAML assertions to
    standard names for processing. In the example above, the value of a LoginID parameter is
    copied over the SAML standard SAML NameId value matched to the WebTMA username. (The
    NameId field used by convention when no “Name” is specified in the mapping.)


Just‐In‐Time User Provisioning/Access

If the provided NameId does not match a WebTMA username, the application can be configured to
automatically create a user account or to connect as an existing account based on group membership
presented in the SAML assertion.

WebTMA Configuration

The “Allow New SSO User Access” must be enabled at the client level (in the Login section of Admin >
Client Info > Preferences Tab).
If the preference above is set to true, the first active rule on Admin > User Management > Default SSO
User Settings with a matching or blank group name is applied.

  • A “Connect As” rule connects the authenticated user as the associated user account. This is
    generally a requestor type user with very limited access. The name, email, and phone number
    from the SAML assertion are used to populate the corresponding fields on the service request
    form. Service requests are tagged with the authenticated user’s NameId. This value is used for
    filtering if access to the request status browse window is provided.
  • A “New Requestor” or “New User” rule creates a new user account of the corresponding role
    with group membership based on user groups linked to the groups presented in the SAML


The following attributes are used for unknown users authenticated through SAML:

  • FirstName
  • LastName
  • Email
  • Phone
  • GroupMembership

The attribute names above are default names read by WebTMA, but the WebTMA SP SAML
configuration can be configured to accept any attribute names provided by the IdP.

Incoming attribute names can be modified with the following additions to the MappingRules block in the
SAML configuration:


WebTMA SP metadata can be retrieved from the following URL:

https://<WebTMA Application>/SAML/Metadata?c=<Client Name>

This requires at least a minimal SAML SP configuration for the client:

SP‐Initiated Login

Clients can use the following URL for an SP‐Initiated login:

https://<WebTMA Application>/SAML/Login?c=<Client Name>

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

2024 Client Training Schedule
See the full list of web training events.