Batch Assign group to SAML users

asked on October 4, 2021

Hi,

We are looking to activate SAML users (10k users) in our environment, as well as to make it work with Forms. We have configured the security based on SAML groups in LFDS (ex. Created a LFDS group, and assign SAML groups within that group).

We're running into the issue where the SAML users are not being integrated to Forms because they are not tied to a group within LFDS.

Is there a way to batch assign an "Everyone" group to the imported SAML users, so that they can be pushed as a participant in Forms? Basically, assign this default group to everyone that will use SAML, so that it pushes them to Forms, without manually having to intervene on these 10k users?

Thanks for any advice. It seems as though SAML integrations are still early in the development.

It would be nice to say:
-you are part of this LFDS group (which has SAML group ABC), when you login, automatically provision this user account if it doesn't exist in LFDS, assign him to that LFDS group automatically, then trigger a sync to Forms because we configured Forms to allow logins from that LFDS group, so that everything happens at once.

0 0

replied on October 7, 2021

Hi Patrick,

To clarify, how did you add these SAML users into LFDS? Did you add them via CSV file import, via self registration, via SCIM, or by some other means?

With regards to current functionality, SAML users need to login in order to be synced into Forms if they do not explicitly belong to an LFDS group. Your SAML users should be able to login right off the bat if the groups are configured properly.

1 0

View 4 previous replies

replied on October 7, 2021

These SAML users were CSV file imported for now, but as we continue to have new users on a daily basis, I want to automate this as most as possible, but we don't have a SCIM option within our IdP.

Thanks for the explanation as well. It would have helped if I was passing the right SAML groups to the application, haha. Sorry about the troubles on that. It is now working as you explained it, as soon as it sees that SAML group within the list of groups, it assigns their access to Forms based on that group (either as Named or participant user).

So for the question to automatically provision SAML users (ex. Let the IdP determine who is allowed to login or not), that's not possible at the moment, correct?

0 0

replied on October 8, 2021

We are currently working on adding a new feature to allow everyone from LFDS to be able to access Forms. The planned feature is to provide an option to allow everyone from LFDS to access Forms when configure the user authentication, with this option, all the users with the proper license will be synchronized into Forms. Will this feature satisfy your use case?

0 0

replied on October 8, 2021

Yes and no. The user initially has to exist in LFDS, which in our case, isn't always true because we manually have to import the SAML users. Our Identity provider will say you are allowed to access Laserfiche (as the 1st entry point into the system), but because the user doesn't exist in Laserfiche, it will say he's not licensed and will not be able to use Laserfiche.

In a perfect world, when the user signs into the identity provider to access Laserfiche, once LFDS receives the SAML request for signin, but doesn't find the user, it would be nice if LFDS would support just-in-time provisioning for SAML, enabling the system to automatically create the SAML user with the proper license (ex. based on a SAML attribute or have the ability to assign a default license). That way, there is no administrative overhead and because the SAML groups control the access, the only thing an admin would have to worry about is to monitor the total licensing assignment counts.

I hope I'm making a bit of sense, haha. The Just-in-time provisioning is supported by a ton of service providers that support SAML and is really a great feature to reduce the burden on admins.

0 0

SELECTED ANSWER

replied on October 8, 2021

That sounds like a job for LFDS's self registration feature (introduced in LFDS 10.4.3). It can create the SAML accounts in LFDS upon first login with a designated license.

1 0

replied on October 8, 2021

Awesome, thanks again for the guidance!! This will do the trick.

1 0

replied on October 8, 2021

I have one more question sorry. We don't want to allow users to choose a "Full License" during the self-registration feature. So we applied the "Participant license" automatically for everyone who doesn't have an account, which works perfectly for our use case, no prompts no nothing. Applies that default license and away he goes. (Allow new users to self-register ON, Redirect new users to registration page ON, Automatically complete registration ON, with only 1 type of license available)

We do however want to say for those that are part of SAML group "ABC", automatically apply a "Full License" to them, kind of following the same import rules as Active Directory. Is that do-able? And if ever that user no longer has that SAML group "ABC", it removes that "Full License" and applies the "Participant license"?

0 0

replied on October 8, 2021

Unfortunately we don't have that functionality right now.

One thing I can suggest is using the proxied providers feature if your SAML accounts are backed by Active Directory.This will take a different approach to user management, where you synchronize user accounts into LFDS as AD users and can use sync rules etc., but these users login via SAML. LFDS will detect an identifying attribute in the SAML user's token that lets it know which AD user on the LFDS side is trying to login.

1 0

Question

Question

Batch Assign group to SAML users

Answer

Replies

Sign in to reply to this post.