Skip to content

Self-Service User Management Using SAML Integration

SAML (Security Assertion Markup Language), is a mature technical protocol that passes metadata from the customer’s Identity Provider (IdP) to aPriori’s Cloud during the login process. For customers who opt in to this self-service option, aPriori Cloud will automatically add and update users based on SAML metadata.

Note:

This integration requires the customer’s IdP to become the system of record for all user additions and updates:

  • The web interface for user management described in Using Self-Service User Management will not be available for adding and updating users. It will be available for deleting users as this cannot happen through SAML.
  • Most user management through aP Pro in AppStream will not be available. These changes ensure that a user administrator cannot accidentally override changes made through the customer’s IdP. Any such changes outside the IdP would themselves be overridden as soon as the user logged in again and their SAML metadata was processed by the SAML-Managed automation.

Enrolling in Self-Service User Management through SAML

Enrolling in Self-Service User Management through SAML requires a one-time setup process:

  1. Create a Zendesk ticket for aPriori Customer Support indicating that you want to opt in to SAML management. We highly recommend requesting a report from aPriori showing all current aPriori users and their existing roles. Please see below for more explanation.
  2. SAML is easily extensible and your IT department will add a custom SAML field containing a comma-delimited list of customer-assigned aPriori roles.

Note the following key points about the new field:

  • The value must contain a valid aPriori customer-assigned role from the list of mutually-exclusive roles (see Customer-Assigned User Roles), for example APRIORI_DESIGNER.
  • Optionally, the field may also contain additional strings in a comma-delimited list of the optional roles (see Optional Roles), for example APRIORI_CONNECT_ADMIN or APRIORI_SANDBOX.
  • The values are case-sensitive and must be spelled correctly. They must match exactly the format described in Customer-Assigned User Roles and Optional Roles in order to be recognized.

Before switching over to being SAML-Managed, we highly recommend the following:

  1. You request a report listing all known active aPriori users and their current roles as per step 1 above.
  2. Using the report of all known active users, confirm that all users are accounted for in your IdP.
  3. Confirm that all the aPriori roles for each user are correct.

Following these steps will help ensure that all your users and their roles are correct prior to becoming SAML-Managed. For example, if a user known to your IdP was not assigned aPriori roles in your IdP and your account was switched to being SAML-Managed, the next time that user logged in the automation would read the lack of aPriori roles to mean that the user should not have any, and any previously associated aPriori roles would be removed from that user.

User deletion must still occur through the web interface described previously (see Deleting Users), as the SAML protocol is only applicable on user login. Since a user who no longer has access to aPriori Cloud (for example, because they have left the customer’s company), will never log in again, aPriori Cloud needs the aPriori customer user administrator to use the web interface and indicate which specific individual(s) need to be removed. Doing so will free the seat that was taken by the removed user.