Mapping SAML Users to MicroStrategy
MicroStrategy Intelligence server uses the SAML assertion attributes configured in the Idp for authentication. This information is passed from SAML response to map the logged in user to MicroStrategy users and groups stored in the metadata.
The following pieces of information sent over in the SAML response can be used to map to a MicroStrategy user:
Name ID: MicroStrategy looks for a match between the Name ID and User ID in the Trusted Authenticated Request setting.
This field can be set in Developer by opening User Editor > Authentication > Metadata. You can also set this field in Web Administrator by opening Intelligence Server Administration Portal > User Manager. The Trusted Authentication Login field is found in the Authentication tab when editing a user.
DistinguishedName: MicroStrategy looks for a match in user's Distinguished name of LDAP Authentication setting.
This setting can be found in Developer by opening User Editor > Authentication > Metadata.
MicroStrategy checks for matches in the exact order they are presented.
When a match is found in the metadata, MicroStrategy logs the user in as the corresponding MicroStrategy user with all of the correct permissions and privileges granted.
If no match is found, it means the SAML user does not yet exist in MicroStrategy, and is denied access. You can choose to have SAML users imported to MicroStrategy if no match is found, see Importing and Syncing SAML Users.
The way MicroStrategy maps user groups is determined by the entries made in the Group Attribute and Group Format fields when the SAML configuration files were generated for your application. Groups are mapped between an identity provider and MicroStrategy in one of two ways:
Simple group names: Group Attribute must contain a list of MicroStrategy User Groups and Group Format must be set to Simple in MicroStrategy SAML configuration. The Group Attribute values is used to map the MicroStrategy group's Full name.
This setting can be found in Developer by opening Group Editor > Group Definition > General.
DistinguishedNames:If MicroStrategy is configured for LDAP integration DistinguishedNames can be used for group mapping. Group Attribute must contain a list of LDAP DistinguishedNames and the Group Format must be set to DistinguishedName in MicroStrategy SAML configuration.
This setting can be found in Developer by opening Group Editor > Authentication > Metadata.
New users and their associated groups can be dynamically imported into MicroStrategy during application log in. You can also configure Intelligence server to sync user information for existing MicroStrategy users each time they log in to an application. The following settings are accessed from the Intelligence Server Configuration > Web Single Sign-on > Configuration window in Developer.
- Allow user to log on if Web Single Sign-on - MicroStrategy user link not found: Controls access to an application when a MicroStrategy user is not found when checking a SAML response. If unchecked, MicroStrategy denies access to the user. If checked, the user obtains privileges and access rights of a 3rd Party user and Everyone group.
Import user and Sync user are not be available unless this setting is turned on.
Import user at logon: Allows MicroStrategy to import a user into the metadata if no matching user is found. The imported user populates all the fields that are used to check user mapping with the corresponding SAML attribute information.
All users imported this way are placed in the "3rd party users" group in MicroStrategy, and are not be physically added to any MicroStrategy groups that match its group membership information.
After the configuration is complete, the imported user sees a privilege-related error when trying to access the project. To resolve this issue, a MicroStrategy administrator must add the project access privilege for the imported user in 3rd Party Users group.
Synch user at logon: Allows MicroStrategy to update the fields used for mapping users with the current information provided by the SAML response.
This option also updates all of a user's group information and import groups into "3rd party users" if matching groups are not found. This may result in unwanted extra groups being created and stored in the metadata.