Strategy ONE

Mapping SAML Users to Strategy

Strategy Intelligence server uses the SAML assertion attributes configured in the Idp for authentication. This information is passed from SAML response to map the logged in user to Strategy users and groups stored in the metadata.

User Mapping

The following pieces of information sent over in the SAML response can be used to map to a Strategy user:

  • Name ID: Strategy looks for a match between the Name ID and User ID in the Trusted Authenticated Request setting.

    This field can be set in Developer by opening User Editor > Authentication > Metadata. You can also set this field in Web Administrator by opening Intelligence Server Administration Portal > User Manager. The Trusted Authentication Login field is found in the Authentication tab when editing a user.

  • DistinguishedName: Strategy looks for a match in user's Distinguished name of LDAP Authentication setting.

    This setting can be found in Developer by opening User Editor > Authentication > Metadata.

Strategy checks for matches in the exact order they are presented.

When a match is found in the metadata, Strategy logs the user in as the corresponding Strategy user with all of the correct permissions and privileges granted.

If no match is found, it means the SAML user does not yet exist in Strategy, and is denied access. You can choose to have SAML users imported to Strategy if no match is found, see Importing and Syncing SAML Users.

Group Mapping

The way Strategy maps user groups is determined by the entries made in the Group Attribute and Group Format fields when the SAML configuration files were generated for your application. Groups are mapped between an identity provider and Strategy in one of two ways:

  • Simple group names: Group Attribute must contain a list of Strategy User Groups and Group Format must be set to Simple in Strategy SAML configuration. The Group Attribute values is used to map the Strategy group's Full name.

    This setting can be found in Developer by opening Group Editor > Group Definition > General.

  • DistinguishedNames:If Strategy is configured for LDAP integration DistinguishedNames can be used for group mapping. Group Attribute must contain a list of LDAP DistinguishedNames and the Group Format must be set to DistinguishedName in Strategy SAML configuration.

    This setting can be found in Developer by opening Group Editor > Authentication > Metadata.

Importing and Syncing SAML Users

New users and their associated groups can be dynamically imported into Strategy during application log in. You can also configure Intelligence server to sync user information for existing Strategy users each time they log in to an application. The following settings are accessed from the Intelligence Server Configuration > Web Single Sign-on > Configuration window in Developer.

  • Allow user to log on if Web Single Sign-on - Strategy user link not found: Controls access to an application when a Strategy user is not found when checking a SAML response. If unchecked, Strategy denies access to the user. If checked, the user obtains privileges and access rights of a 3rd Party user and Everyone group.

    Import user and Sync user are not be available unless this setting is turned on.

  • Import user at logon: Allows Strategy to import a user into the metadata if no matching user is found. The imported user populates all the fields that are used to check user mapping with the corresponding SAML attribute information.

    All users imported this way are placed in the "3rd party users" group in Strategy, and are not be physically added to any Strategy groups that match its group membership information.

    After the configuration is complete, the imported user sees a privilege-related error when trying to access the project. To resolve this issue, a Strategy administrator must add the project access privilege for the imported user in 3rd Party Users group.

  • Synch user at logon: Allows Strategy to update the fields used for mapping users with the current information provided by the SAML response.

    This option also updates all of a user's group information and import groups into "3rd party users" if matching groups are not found. This may result in unwanted extra groups being created and stored in the metadata.