You are viewing limited content. For full access, please sign in.

Question

Question

SAML - Assign User License to a group using rules

asked on May 31, 2022 Show version history

Hi Team,

Is there a way in which we can configure LFDS with SAML and get the rules enabled to assign user license automatically (Like how we can create a AD group and use LFDS rules to assign "User License" to the users in that AD group).

Thank you.

 

0 0

Replies

replied on June 9, 2022

Hi Bipin,

If your SAML directory is backed by Active Directory, you can do this by using our Linked Identity Providers feature (formerly known as Proxied Providers). Your users will authenticate using SAML but will be managed in LFDS as Active Directory users (and therefore you can use AD sync rules as normal). We have documentation on this feature here.

If your SAML directory is not backed by Active Directory, you will have to use self-registration or SCIM (Okta only at this time) to assign licenses to SAML users without administrator intervention.

1 0
replied on June 9, 2022

Chase, if using Okta with SCIM, I was reading that you set the license type that is assigned to all incoming accounts on the SCIM tab. How do you handle assigning out different license types for Okta users? Would you need to configure 2 different Okta providers in LFDS?

0 0
replied on June 9, 2022

Hi Blake, LFDS cannot handle more than one license type for SCIM at this time but we are working on SCIM improvements that will allow for an experience similar to AD sync's rules feature.

0 0
replied on June 9, 2022

Is there a timeframe for that? That's a deal breaker for us to move to Okta SCIM.

0 0
replied on June 9, 2022

There is no solid timeline right now but a very rough estimate would be the first half of 2023.

0 0
replied on August 4, 2022 Show version history

This seems to be true for Cloud as well. There is no option to handle both Full and Participant users, so all license assignment is being done manually.

Some questions I have are:

Why does JIT support both Full and Participants?

What is the disadvantage of using JIT over SCIM and why are there 2 technologies to begin with?

Why are we able to enable BOTH JIT and SCIM if they conflict with each other?

0 0
replied on August 4, 2022 Show version history
  1. Just in Time provisioning is designed to allow users to get licenses on-demand when they need access to resources. You might not want every user to get the same license type though, so we provide options for which licenses you would like to allow.
  2. These are two features that accomplish different things. SCIM is closer to a synchronization, when you want all your SAML users in Laserfiche all the time (at least in LFDS), and you want their accounts updated when something changes on the SAML side.
  3. These features don't necessarily conflict with one another. In LFDS you can have multiple SAML IdPs and only turn on SCIM for some and use self-registration for the rest. In the current cloud SCIM implementation, we do not load existing users into the system until there are updates to them, so JIT can help cover the users that were not loaded in by SCIM yet.
0 0
replied on August 4, 2022

They seem to conflict since if you enable SCIM, the JIT license assignments stop working no matter what you choose for license assignment on the SCIM side. Even if you choose None, the JIT license assignments stop working.

I am not sure why you would ever NOT want SCIM enabled as it is responsible for syncronizing your users, but you would also want JIT enabled as it is responsible for group based license assignment and first time creation of new users.

0 0
replied on August 4, 2022 Show version history

One thing I want to clarify is that JIT only triggers when users that do not exist in the system try to access the system. If a user already exists, JIT will not update their license (or be used at all) on the next login. Does that help explain?

 

(We do want to implement group based licensing for SCIM in the future though)

0 0
replied on August 4, 2022

I belive the procedure that our clients use is the following.

 

Add a user to either the Laserfiche Full Users AD group or Laserfiche Participant Users AD group

Let the user know they can login

 

This means the account will not exist, but that it will be created automatically by JIT when they login

 

The problem is, they have no license assigned, so IT has to go back and manually assign a license.

0 0
replied on August 4, 2022

If JIT is creating the users but not assigning them the license that it's configured to, I'd recommend opening a support case.

0 0
replied on August 4, 2022

It is clearly a SCIM conflict. If you change SCIM to None all users are assinged None, if you change it to Full all users are assinged Full, and if you change it to Participant all users are assigned Participant.

0 0
replied on August 5, 2022

Yes that is the case because SCIM and JIT both act on the same set of users (for now) and JIT is a one-time operation whereas SCIM operates periodically. Once group based licensing for SCIM is added, or support for several SAML providers is added in cloud, there will be more flexibility.

0 0
replied on August 5, 2022

What happens if you don't have SCIM enabled and an account is removed from the Laserfiche Users group or disabled in AD. Does the account stay active and the license assigned in LF? That is the primary concern our customer had.

0 0
replied on August 5, 2022

Yes, I don't think there's any way to propagate that update to Laserfiche (in cloud anyway) without SCIM enabled.

0 0
replied on August 5, 2022

Got it, that seemed to be the general guidance found on Google too, almost as if JIT was meant for a simpler type of service where accounts are never removed or disabled.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.