Bridge allows users to be generated through a SAML assertion (must be enabled by Bridge IC or Support) but this is currently limited to 7 fields, first name, last name, email, full name, job title, department and name ID (brought over as Unique Identifier in Bridge).
Note: A few additional standard fields may be added later but custom fields are not allowed through this method, so in order to use Smart Groups and custom attributes, a CSV import or PATCH updates through the API must be used to get the rest of the user's data into Bridge.
Warning: Using SSO to create users can lead to some unexpected behavior when paired with other methods. Users cannot be updated using this method, ONLY CREATED. If you use Auto CSV this method is not allowed. If you're not managing the UIDs properly you can end up with quite a few duplicated users.
Requirements
- SAML SSO: You'll need an identity provider (IdP) that works with the SAML protocol
- Create users from external authorization - enabled: An Implementation Consultant or Bridge Support Agent must enable this setting for you in order to create users from SAML SSO
Steps
- Reach out to Support regarding Just In Time (JIT) provisioning
- Modify the attributes in the SAML assertion to include first_name, last_name, full_name, job title, department and email (Name ID already included)
- Test to ensure users are being added
- Review limitations and errors
Step one: Reach out to Support regarding Just In Time (JIT) provisioning
Our Support Team can work with you to get the JIT process started. They can bring an Implementation Consultant (IC) to enable these settings and consult on the process should you have any questions.
*Note: if you do not work with an IC, it is highly recommended that you review the limitations and potential errors
Step two: Modify the attributes in the SAML assertion to include additional fields
If you would like to include the First Name, Last Name, Full Name, Job Title, Department and Email attributes you must add them to the SAML assertion (first_name and email screenshot for Azure AD below):
The following claim names apply for each field:
- Email
- First Name
- first_name
- firstName
- given_name
- givenName
- Last Name
- family_name
- familyName
- last_name
- lastName
- Full Name
- display_name
- full_name
- name
- job_title
- department
Step Three: Test to ensure users are being added
- Assign a user that isn't currently in Bridge to your IdP (preferably a test user)
- Have that user sign into Bridge and check to see if the user is created in Bridge (they should see the User Agreement and the Admin should be able to search for them by their UID or name)
Step Four: Review limitations and errors
What You’re Experiencing | What’s Happening | How to Resolve |
---|---|---|
I'm on a page that says "Account Error" and "Oops. We can't find your account". The URL path is "/no_user" |
It's likely that SSO is working but the "create users from external authentication" feature has not been enabled. |
Reach out to Support or an IC to ensure that the feature has been enabled. |
User isn't being updated when they log in |
Creating users via SSO (JIT) does not update users with subsequent logins. |
Unfortunately, there isn't a way to change this. JIT only creates users it does NOT update users. |
Some or all of the user's attributes are not coming through but the user is getting created |
The attributes are probably not mapped correctly. |
Double check the Attribute Name in the SAML assertion, does it match one of the accepted claim names for the given attribute? Step two has a list of the fields and their claim/attribute names. |
I'm getting a 500 response or weird authentication error. |
This is more difficult to diagnose but is likely caused by SAML misconfiguration |
Take a look at the SAML Overview document and work with your IC to troubleshoot the configuration. Also check out documentation specific to your IdP and Bridge. |