help.sitevision.se always refers to the latest version of Sitevision
Create Virtual groups for SAML
SAML stands for Security Assertion Markup Language and is an XML-based open standard for exchanging authentications and permissions.
SAML is a federated login method that organises your own login against AD, without the need for direct contact with AD. If a visitor navigates to an address that requires login, they are sent on to the customer's IDP (located in the customer's own environment) where the visitor logs in. When the login is complete, a form with signed information is sent to SiteVision.
You can create virtual groups in a four different ways:
- Everyone logged in via SAML
- Groups
- E-mail address (single user)
- E-mail address (all)
Everyone logged in via SAML
As a first test when setting up SAML settings, it's a good idea to add all logged-in users via SAML and try logging in. Enter SAML in uppercase so the ID for the Virtual group consists of all people who log in Via SAML.
Groups
Giving entire groups in the directory service access through Virtual groups is straightforward. This allows you to assign permissions to a page or structure to all users in the group.
Fill in the names of the attribute values for the attribute that you set as group attribute in the SAML2 login module. For example, if the group attribute name is groups, use what is under AttributeValue.
The example below shows a SAML-ticket with 2 group names; SVredaktorerEkonomi and SVadmin:
<saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic
<saml:AttributeValue xsi:type="xs:string">SVeconomyEditors</saml:AttributeValue>
<saml:AttributeValue xsi:type="xs:string">SVadmin</saml:AttributeValue>
</saml:Attribute>
It is important to specify the EXACT name of the group attribute value.
E-mail address (single user)
You can use an e-mail address to create a Virtual group for a single user.
Enter an e-mail address in the Id field.
E-mail address (all)
You can use the domain in an e-mail address to create a virtual group based on all users with a specific e-mail address.
Type the address after @ (domain) as the Id so that all users with that address are associated with the Virtual group.
The page published: