Thanks Samuel. We're looking at the LFDS SDK with our client now and cannot find the linkage for non-Full licenses to the members available in WellKnownLicenseType.

Besides Full and None, there is AuthenitcatedSubmitter, Restricted, and Retrieval.

Is this something we need to open a ticket as it depends on Avante/Rio?

What license type are you trying to assign? Describe in terms of the license model (Subscription/Rio/Avante) and the name of the license as it appears in the LFDS admin UI.

Our client is trying to add Education User.

Also I want to confirm, SAML users may have certain field auto-populated when added manually (e.g. name, department, we're using Azure Active Directory). When we add a user using the LFDS SDK, can it also look up those values from SAML (either automatically or through some refresh)?

Hi Michael,

My colleague on the LFDS team tells me that to get the GUID for Education user licenses:

They may need to get the MasterLicense, then look for the matching guid under licenses. It doesn't sound like there's a direct lookup. It sounds like LMO can do it, they won't need to grab the license manually.

When you add SAML users manually, you have to provide all those extra (non-required) attribute values. When a user logs in and their SAML token includes those attributes in its claims, LFDS will update its side with the values in the token at that time.

The SAML specification doesn't have a "look up" attributes function - it's purely for authentication. However, the complementary SCIM protocol does. It's designed to sync users/groups/attributes to provide functionality similar to LFDS AD Group Sync.

There are two versions of SCIM:

v1.1, used by Okta and others, which LFDS has implemented, and v 2.0, used by Azure Active Directory and others, which is tentatively on the LFDS implementation roadmap by the end of the year. SCIM the "right" way to address the "syncing SAML users and attributes" scenario, so I'd recommend implementing whatever stopgap functionality you need in LMO now and then waiting for official AAD SCIM 2.0 support in LFDS.

Note that LFDS SCIM support does require the Laserfiche Enterprise Identity Management (EIM) add-on license.

Cheers,
Sam

Follow-up questions: 

1. Does SCIM protocol in conjunction with Laserfiche have the ability to remove user licenses?  I may have missed it but I did not see if that question was answered above.

2. Is there a way to leverage SCIM to sync users that might need different licenses? When using AD sync you can create multiple rules that can give users participant/educational or full licenses depending on the AD group they are a part of.  Based on what I see in the instructions below, it seems like you can only set one license type and all users provisioned through SCIM will be given this specified license type.

https://doc.laserfiche.com/laserfiche.documentation/11/administration/en-us/Subsystems/LFDS/Content/ConfiguringSCIMinDirectoryServer.htm