This document describes the process to implement SAML authentication for Single Sign-On (SSO) with WebTMA 7 for SaaS clients.
Requirements
WebTMA supports IdP-Initiated and SP-Initiated SAML SSO with HTTPS POST binding. Either the SAML response message or the SAML assertion must be signed to be considered valid.
Setup
For SaaS, TMA will provide the client with SP metadata including the URL of the WebTMA assertion consumer service. The client will provide TMA with their IdP metadata including the public key signing certificate. The client will be responsible for IdP configuration.
For SP-Initiated authentication, a unique login URL will be provided by TMA to initiate the SAML authentication request to the client’s IdP.
By default, the NameId in the assertion is compared to the WebTMA username to authenticate existing users. An attribute from the SAML assertion can be configured to take the place of the NameId if required.
Just-In-Time User Provisioning/Access
If the provided NameId value does not match a WebTMA username, the application can be configured to automatically create a user account or to connect as an existing account based on group membership presented in the SAML assertion.
WebTMA Configuration
The “Allow New SSO User Access” must be enabled at the client level (in the Login section of Admin > Client Info > Preferences Tab).
If the preference above is set to true, the first active rule on Admin > User Management > Default SSO User Settings with a matching or blank group name is applied.
- A “Connect As” rule connects the authenticated user as the associated user account. This is generally a requestor type user with very limited access. The name, email, and phone number from the SAML assertion are used to populate the corresponding fields on the service request form. Service requests are tagged with the authenticated user’s NameId. This value is used for filtering if access to the request status browse window is provided.
- A “New Requestor” or “New User” rule creates a new user account of the corresponding role with group membership based on user groups linked to the groups presented in the SAML assertion.
Attributes
The following SAML attributes are used for unknown users granted access through the Default SSO User Settings:
- FirstName
- LastName
- Phone
- GroupMembership
The attribute names above are default names read by WebTMA, but the WebTMA SP SAML configuration can be configured to accept any at