SAML Authentication enables the integration of OnApp as a Service Provider into third-party systems via Single Sign-On possibility, so that users of third-party systems can use their credentials to access OnApp services, without the need to be previously registered in OnApp Cloud.
This Authentication is enabled by adding an Identity Provider (IdP) instance, which is used to direct OnApp login requests to the server configured with SAML.
- Currently OnApp supports only Windows ADFS identity provider.
- It must be configured properly to be able to store OnApp mapping attributes (user role, time zone, etc).
- It requires that only HTTPS protocol is used.
Selecting a SAML IdP on OnApp login screen, a user will be redirected to the login screen of that identity provider. Upon logging in there with their email and password (or if they are already logged in), they will be redirected back to OnApp Control Panel. This final redirect will contain an email attribute of that user which is used for their recognition in OnApp system – if such a user already exists he or she are recognized and authorized, if not - a new OnApp user will be automatically created.
The attributes of the third party system users will be synchronized during every login, depending on the available keys for attributes mapping. This will enable third party system administrator to preset the main OnApp user properties (user role, time zone, group) without the necessity to enter OnApp and make the required configurations manually.
Users created without these attributes can be located and managed at Users and Groups > Users with Config Problems on your OnApp Control Panel.
To do so, disable the switch Local Login for SAML Users at Control Panel > Settings > Configuration > System