Legacy Mend UI - SAML 2.0 Common Questions
Here are a few Q&A’s regarding the SAML 2.0 authentication (login) method:
Question: Are users created automatically when they log in with SAML?
Answer: After configuring SAML 2.0, a unique SAML URL will be created which will redirect to the organization’s authentication page, and all users that successfully authenticate on that page will be able to log in to Mend Application (redirected) automatically (without previous manual user creation), using the SAML link.Question: Can users using a different email address domain log in using SAML as well?
Answer: As long as a user successfully authenticates on the organization authentication page, users should be able to log in regardless of their email address domain.Question: Would existing Service Users be impacted when switching to SAML authentication method?
Answer: No, existing Service Users will not be affected after the configuration of SAML authentication method.Question: If an Admin user exists already in the Mend Application, will they lose their Admin rights when they sign in with SAML?
Answer:
a) When configuring basic SAML settings only, as long as users log in with the same email address, their roles and groups will remain unchanged.
b) When configuring advanced SAML configuration, the user should be part “admins” group on AD, so they can be associated with the “admins” group on Mend.
*The “admins” group on Mend can be renamed, which allows AD admin to create a new name for the “admins” group on AD (same name of the renamed “admins” group).Question: Will users be able to still log in using Username/Password method?
Answer: After configuring SAML for the first time, users will only be able to log in using Username/Password for the next 7 days. After this initial 7 days period, users will only be able to log in with SAML authentication. Please contact support@whitesourcesoftware.com if you need to extend the 7 days period for a little longer.Question: How can I define which groups new users get assigned to once they log in with SAML?
Answer:
a) With basic SAML Configuration (no Group attribute is passed from SAML on Advanced Configuration), new users will be added to the “Users” group by default, and the admin can assign them to other groups later on. User Groups are managed from the Mend App.
b) With SAML Advanced Configuration (Group attribute is passed from SAML), administrators can map SAML attribute keys, which allows them to automatically assign new users to groups, based on AD groups and mapped attribute keys. Changing a user group manually will only take effect during the login session. Once the user logs out and logs back in again, the associated groups will be based on the AD.
User Groups are managed from the Active Directory (IdP) App.
Additional information on Advanced Configuration can be found here:
SAML 2.0 Integration | Advanced-Settings-(Optional)