How do I Create Users with SAML SSO?

Bridge allows users to be generated through a SAML assertion (must be  enabled by Bridge IC or Support) but this is currently limited to 7  fields, first name, last name, email, full name, job title, department and name ID (brought  over as Unique Identifier in Bridge).

Note: A few additional standard fields may be added later but custom fields are  not allowed through this method, so in order to use Smart Groups and  custom attributes, a CSV import or PATCH updates through the API must be  used to get the rest of the user's data into Bridge.

Warning:  Using SSO to create users can lead to some unexpected behavior when  paired with other methods. Users cannot be updated using this method,  ONLY CREATED. If you use Auto CSV this method is not allowed. If you're  not managing the UIDs properly you can end up with quite a few  duplicated users.

 

Requirements

  • SAML SSO: You'll need an identity provider (IdP) that works with the SAML protocol
  • Create users from external authorization - enabled: An Implementation Consultant or Bridge Support Agent must enable this setting for you in order to create users from SAML SSO

 

Steps

  1. Reach out to Support regarding Just In Time (JIT) provisioning
  2. Modify the attributes in the SAML assertion to include first_name, last_name, full_name, job title, department and email (Name ID already included)
  3. Test to ensure users are being added
  4. Review limitations and errors

Step one: Reach out to Support regarding Just In Time (JIT) provisioning

Our Support Team can work with you to get the JIT  process started. They can bring an Implementation Consultant (IC) to  enable these settings and consult on the process should you have any  questions.

*Note: if you do not work with an IC, it is highly recommended that you review the limitations and potential errors

Step two: Modify the attributes in the SAML assertion to include additional fields

If you would like to include the First Name, Last Name, Full Name, Job Title, Department and Email attributes you must add them to the SAML assertion (first_name and email screenshot for Azure AD below):

The following claim names apply for each field:

  • Email
    • email
    • mail
  • First Name
    • first_name
    • firstName
    • given_name
    • givenName
  • Last Name
    • family_name
    • familyName
    • last_name
    • lastName
  • Full Name
    • display_name
    • full_name
    • name
  • job_title
  • department

 

Step Three: Test to ensure users are being added

  • Assign a user that isn't currently in Bridge to your IdP (preferably a test user)
  • Have  that user sign into Bridge and check to see if the user is created in  Bridge (they should see the User Agreement and the Admin should be able  to search for them by their UID or name)

 

Step Four: Review limitations and errors

What You’re Experiencing What’s Happening How to Resolve

I'm on a page that says "Account Error" and "Oops. We can't find your account". 

The URL path is "/no_user"

It's likely that SSO is working but the "create users from external authentication" feature has not been enabled.
Reach out to Support or an IC to ensure that the feature has been enabled.
User isn't being updated when they log in
Creating users via SSO (JIT) does not update users with subsequent logins.
Unfortunately, there isn't a way to change this. JIT only creates users it does NOT update users.
Some or all of the user's attributes are not coming through but the user is getting created
The attributes are probably not mapped correctly.
Double check the Attribute Name in the SAML assertion, does it match one of the accepted claim names for the given attribute? Step two has a list of the fields and their claim/attribute names.
I'm getting a 500 response or weird authentication error.
This is more difficult to diagnose but is likely caused by SAML misconfiguration

Take a look at the SAML Overview document and work with your IC to troubleshoot the configuration.

Also check out documentation specific to your IdP and Bridge.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request