always refers to the latest version of Sitevision

Good to know about SAML

  • The SAML ticket is mostly in XML format and contains attributes that must be included and attributes that you choose and fully control. More info about SAML ticket and Saml et-up here

  • One of the attributes that must be included is what we usually refer to as the identifier. The identifier is the SAML attribute named "urn:oid:0.9.2342.19200300.100.1.1.". This attribute is the basis for how SiteVision identifies the user and connects them to a user item in SiteVision.

  • When you have a federated login, SiteVision can neither read nor write in the directory. The only thing that SiteVision is allowed to "know" about the user is what is sent in the SAML ticket and what is configured so that it is received via the SAML set-up.

SAML identifier selection

You choose what is sent as identifier in the SAML ticket at set-up of IdP and SAML solution. You can choose between the different unique fields available to a user in the custom directory. We recommend that you choose a stable identifier without direct personal data. The identifier in the SAML ticket does not have to be the same as the username for the login. The identifier is case-sensitive; in other words, "kallekula" is not the same as "KalleKula".

Recommended identifiers

  • The identifier must be unique to the user and constant. Examples of constant identifiers are UUID, GUID or ID number (note that these are unappropriate if they contain personal data).

Inappropriate identifiers

  • An E-mail address is inappropriate as an identifier because it contains direct personal data, and is also considered unstable. For example, people get might married and change their last name and thus e-mail address - the identifier then changes.
  • The employee ID, CN, username, social security number and other personal data are not appropriate with regards to GDPR.

Change of SAML identifier

The identifier in the SAML ticket is the basis for the association between a user in the Federated Directory Service and SiteVision. Therefore, changes to the identifier result in SiteVision not being able to reconnect the user with the user item.

Some modules, such as booking, list favourites and web enrolment, depend on the user item, and these modules are affected by a change in the Identifier.

Social Collaboration

All changes to the identifier result in the creation of a new user item in SiteVision. Therefore, if the identifier is changed, the user will still be able to log in to SiteVision with the SAML ticket, but now get another user item. Therefore, on websites where Social Collaboration is enabled, the new user item will create a new social profile.

There are a couple of different scenarios for when the identifier changes.

  • You want to deliberately change what is sent as an identifier and replace the value that the directory service will send in the IdP
  • You adjust the identifier without knowing that it will have effects
  • Changes are made to the directory service, where the field used as an identifier changes for one or more users. For example, you might want to change all uppercase letters to lowercase, to achieve a standard.

In the first case, you can be proactive and through an order job from SiteVision Support get help to both create the new user items and reconnect social profiles, so that users retain their old profile and settings.

In the other two cases, the "damage" is already done. SiteVision Support can help to carry out the changeovers even then, but because the order job needs some foresight, you can live with that some or all users over a period do not have their old profiles and have no settings.

User items in SiteVision

SiteVision has two types of user item.

  • user - user item created during a direct connection between the directory service and SiteVision, e.g. during own server operation
  • simpleUser - user item created during federated login with SAML, e.g. in SiteVision Cloud

Information about the user is saved on the user item.

  • My favourites
  • Settings for the editor (language, text size etc.)
  • Any data from third party functions (e.g. script modules created by partners)

Social profile in Social Collaboration

If Social Collaboration is enabled on the website, a social profile is created by SiteVision for each user item that is created. The user item and social profile have a two-way reference and are therefore interdependent.

  • userIdentity

The social profile saves information associated with the user and Social Collaboration.

  • Profile image
  • Membership of groups
  • Notifications
  • And much more connected to Social Collaboration


The page published:

Did the information help you?