Release Date: Nov 24, 2020
Configure User from SAML Assertion
We have added more User settings that can be configured to apply to a User each time they log in via SSO (each SAML assertion). These settings will form part of the SSO Strategy configuration.
How to configure your user from a SAML assertion
Go to System Administration (⚙️).
Open your Login Strategy
- Click on the + sign to create a new Strategy, or
- Open an existing Strategy by clicking on the Strategy.
Under User Creation switch on the Configure User from SAML Assertion toggle.
Click + Add assertion mapping to add an assertion mapping option. You can add as many mapping options as you need by clicking this button.
Fill in the Assertion Attribute field with the name of the attribute field from your SAML Identity Provider. This needs to match the field exactly from the SAML Identity Provider.
Select what you want to assign from the User’s profile in the SAML Identity Provider to the User in the Kurtosys App each time the User logs in.
Company: this will set the Company field for the User. You will only be able to assign one Company for the User.
Email: this will set the Email for the User and is helpful when another field like External User Identifier or Username is used for authentication. You will only be able to assign one Email for the User.
Preset Document Entitlement: This will assign the relevant Preset Document Entitlements for the User. You will only be able to assign one Preset Document Entitlement for the User. The value of the attribute in the SAML identity provider needs to match the Preset Document Entitlement code exactly to assign the Preset Document Entitlement.
Role: Assign which Roles need to be assigned to the User when they log in. Multiple Roles can be assigned to a User when they log in by adding multiple assertion mappings. The Roles field does not take in an array of values, which means that there would need to be multiple fields in the SAML Identity Provider to assign Roles in the Kurtosys App. For example the attributes in the Identity Provider can be called role_1, role_2, role_3 etc, and for each of these attributes you can give it any value that matches with the name of a Role in the Kurtosys App. If the Role name does not match exactly it will not assign the Role upon assertion.