Automatic provisioning of tenant user accounts
This functionality is only available in version 16.5 Update 12 and later.
Automatic provisioning of SAML2 tenant user accounts is an optional feature that is based on the Identity Provider and its domain authentication services. When auto-provisioning is active then a new tenant user account can be created automatically when a user logs in to Planning Space for the first time using an account that is defined, and enabled to access Planning Space, by the Identity Provider's domain user services.
There are three parts to the configuration:
- In IPS Manager: the Claim Mapping tab in each tenant's Identity Provider configuration.
- In the Planning Space tenant: use Workgroup and Role management to define a dedicated workgroup to which new auto-created user accounts will become members; the role allocations for this workgroup must be set for the required modes of access which should be granted to each user (i.e., the Planning Space applications that can be used, and the levels of tasks/permissions within the application). The single workgroup is the basic configuration. Advanced configurations can have multiple workgroups to support user accounts having different modes of access, based on organizational job roles, for example.
- In the Identity Provider: set up a workgroup claim to be associated with the Planning Space workgroup (or multiple workgroups).
Filling in the Workgroup Claim field in the Claim Mapping tab in IPS Manager enables the auto-provisioning function, and empty the field to disable.
Tenant configuration: Claim Mapping
In the IPS Manager Tenants screen, click the Edit button for the tenant's Identity Provider settings. The Configure SAML2 dialog has two tabs - select the Claim Mapping tab. By default all of the fields are empty.
The settings are Workgroup claim, Display name claim, Email claim, and Description claim.
Filling in Workgroup claim will enable the auto-provisioning function. The other fields have defaults if values are not inserted. Suitable input values for claims are dependent on the type of the IdP server/service. The following table shows recommended values when Azure AD is used.
| Claim | Recommended value for Azure AD | How to configure |
|---|---|---|
| Workgroup claim | http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
|
Enterprise application > SAML-based sign on > User attributes and claims > Add a Group Claim. Choose 'Security Groups' and source attribute 'Group ID', then save. |
| Display name claim | http://schemas.microsoft.com/identity/claims/displayname
|
n/a |
| Email claim | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
|
n/a |
| Description claim | User description | Enterprise application > SAML-based sign on > User attributes and claims. Add a new claim called User description, map it to 'user.jobtitle', then save. |
Workgroup configuration: External group
In the tenant Security management UI, create a workgroup where the External Group field is filled-in:
External Group is an identifier string (e.g. 'EXT_GROUP_1' in the screenshot above) which will be used in the IdP configuration for the corresponding workgroup claim. Multiple correspondences between Planning Space workgroups and IdP workgroup claims can be configured, using different External Group identifiers.
The role allocations for the workgroup must be carefully set for the required modes of access which should be granted to auto-provisioned users (i.e., the Planning Space applications that can be used, and the levels of tasks/permissions within the application).
Important: If external groups are modified for a user account in the IdP then at the next login IPS Server will pick up the changed information and modify the Planning Space user account's workgroup memberships accordingly. The group sync always happens when the user logs in, and it will override changes made in Planning Space (for example, the Planning Space Administrator removes a user account from a workgroup, but the IdP user account is set as a member of the corresponding external group). Note that an auto-provisioned tenant user account can only be disabled (i.e., set to 'Deactivated') by direct editing in the Planning Space UI, or via Web API requests. However, if the IdP user account is removed from all IdP external groups then after group synchronization, in a securely-designed deployment, the Planning Space user account will have its workgroup membership(s) revoked and it should not have permissions to perform any actions in the tenant (note: the user account can never be removed from the 'Everyone' workgroup).
IdP configuration: Workgroup Claim
In the Identity Provider server/service, the Workgroup Claim needs to be configured. For example, the following screenshot shows a rule setting in ADFS where the 'Outgoing claim value' has been set to 'EXT_GROUP_1' and the 'Domain Users' have been granted access to the claim - thus any user account in the domain will be able to access Planning Space and trigger the auto-provisioning function.
