User Provisioning with SAML

Customers can create and update internal and external user accounts using SAML SSO (single sign-on).

Note: If a user is signing up through SAML, then the Approval Process service needs to be disabled at the user's home domain. This needs to be done so that the user is auto-approved.

The IDP (identify provider) must provide the following attributes in the request to either create or update user accounts.

The sent attributes must match the following attribute names.

Note: You can change the names of these attributes. For more details, refer to Configuring SAML single sign-on for each Microsite.

fname - The first name of the user as a string. The value cannot be null or empty.
lname - The last name of the user as a string. The value cannot be null or empty.
personno - The person no. of the user. This is optional. If this is not passed, the system automatically generates a value. If this is passed, ensure that the value is unique. The maximum length of the attribute value is 50.
Note: If you intend passing a value for the personno attibute, you are required to switch off the autogeneration of the External / Internal people component.
For example, to switch off the autogeneration for the External people component:
- Navigate to Admin > System > Configure System > Services > User Profile > Components > Person,External > Attributes.
- Click the person_no attribute.
- Uncheck Is Generated.
email - A well-formed email address for the user as a string. The value cannot be null or empty.
manager - The Employee ID of the manager. Manager will be assigned while creating / updating a user through SAML.
Note: If the manager attribute holds an invalid value, then while updating the user, an error will be shown in the SAML error page.
The user creation will not fail, if an invalid value is provided for the manager attribute, instead a blank value will be passed for the manager attribute.
managerusername - The username of the manager.
Note: If a value is provided/passed for this attribute, the value of the manager attribute will be discarded.
securitykeyword - A static value used by a People administrator when creating a new rule, who then provides the keyword to users to enter at the time of self-registration. The value can be null or empty.
timezone - The time zone as per the Java Olson time zone database. For example: Asia/Calcutta. If an empty value is sent for this attribute, then (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London will get assigned.
status - Provide any valid value available in the person status list of values. To update the status of a person, the name of the status is considered and not the UI label.
Note: Status is a mandatory field while creating internal user. Therefore, "Active" will be set as the default value, if a blank value is passed while creating an internal person.
gender - Provide an integer value such as:
- 1 - Male
- 2 - Female
- 3 - Decline Self Identification
- 4 - Not Known
- 5 - Non-Binary
locale - Provide values such as en_US, de_DE, etc.
Note:
By default, gender is set to "Not Known", locale is set to the default locale and status is set to blank. The user creation WILL NOT fail if an invalid value is passed for status, gender or locale, however, update WILL FAIL if an invalid value is passed for gender, status or locale. In case if a blank value is passed, the default values will be set for the respective fields.
organization - Provide a valid value such as the Internal Organization ID for an internal user and External Organization ID for an external user.
Note: The user creation or update WILL FAIL if an invalid Organization ID is passed. In case of a blank value and no sign-up rule applied, the organization is kept blank and an external user is provisioned.
organizationnumber - Provide a valid value such as the Internal Organization number for an internal user and External Organization number for an external user.
Note: If a value is provided/passed for this attribute, the value of the organization attribute will be discarded. In case of a blank value and no signup rule applied, the organization is kept blank and an external user is provisioned.
homedomain - Provide a valid Domain ID.
Note: The user creation or update WILL FAIL if an invalid Domain ID is passed. In case if a blank value is passed, the default domain will be set.
homedomainname - Provide a valid Domain name.
Note: If a value is provided/passed for this attribute, the value of the homedomain attribute will be discarded.
securitydomain - Provide a valid Security Domain ID.
Note: The user creation or update WILL FAIL if an invalid Security Domain ID is passed. In case if a blank value is passed, the default security domain will be set.
securitydomainname - Provide a valid Security Domain name.
Note: If a value is provided/passed for this attribute, the value of the Security Domain ID attribute will be discarded.
username: Provide the username in the SAML response for user provisioning, in case the username has to be different from the NameId provided.
Note: It will be honored only if the property Enable Person Number As Username is true during user creation.
currency: Provide the ISO code for the currency. It will be added as the default currency for the user during the external user creation.
Note: No currency update option is available with this attribute.
terminationdate: Termination Date can be provided during creation / update of the user. The accepted date format is yyyy-MM-dd.
Note: Past or current date will be ignored.
address1: The Address 1 details.
address2: The Address 2 details.
address3: The Address 3 details.
city: The name of the City.
zip: The value of the Zip or Postal code.
state: The name of the State.
Note: If the state does not exist in the system, it will still creates or updates a user and on the person Profile page, it will show the value highlighted in red text.
country: The name of the Country.
Note: If the country does not exist in the system, it still creates or updates a user and on the person Profile page shows the value highlighted in red text.
Note: The address1, address2, address3, city, zip, state and country fields are supported only for the Main Address / Business Contact section.
businesscardtitle: The value for Business Card Title.
persontype: The value for Person Type. It is case-sensitive.
Note: Person Type is checked against "Name" in the Person Type LOV. If persontype does not exist in the system, it still creates a user and the person's profile page shows the persontype value as empty. If the persontype attribute holds an invalid value, then while updating the user, an error will be shown in the SAML error page.
locationname: The value for Location Name. It is not case-sensitive.
Note: If both the location name as well as the location number are passed, only the location number value is checked and if it's incorrect or invalid, an error is thrown. If only the location name is passed, and multiple location exists with the same name, an error indicating multiple location exists is thrown.
locationnumber: The value for Location Number. It is not case-sensitive.
jobname: The value for Job Name. It is not case-sensitive.
Note: If both the job name as well as the job code are passed, only the job code is checked and if it's incorrect or invalid, an error is thrown. If only the job name is passed, it is checked against the default locale.
jobcode: The value for Job Code.
custom0, custom1, custom2, custom3, custom4, custom5, custom6, custom7, custom8, custom9: The value for these custom fields.
For custom field, you need to pass values in the below format based on datatype:
- Time: HH:mm:00
- Date: yyyy-MM-dd 00:00:00.0
- Boolean: True/False (case-insensitive)
- Integer: Any integer
- Real: Any float value
Note:
1. If any of the custom fields are a user created LOV and if it does not exist in the system, no error is thrown.
2. If a default value is set for any of the component attributes, a blank or a null value will not be allowed for that field in SAML user provisioning. This means, if you provide a value (while creating a new record), the value is set, and if do not provide a value (i.e. blank value), the default value available at the component level will be set.
Prefer SAML attribute for new user - If the "Prefer SAML attribute for new user" property is set to true, then the SAML attribute values are considered over the sign-up rule, otherwise, the sign-up rule values are considered for organization, security domain and home domain. If security domain and home domain are not specified in sign-up rule, the default values will be set as per the sign-up rule new user creation.
Value set at Sign-up rule for "Terminated After (days)" is assigned to a newly created user by SAML provisioning only if "Prefer SAML attribute for new user" is false and value set at Sign-up rule level is a value other than the OOB value and no value is passed from SAML.

Note: Any attribute name (such as User Email Attribute Name, User First Name Attribute Name, User Last Name Attribute Name, User Person Number Attribute Name, User Timezone Attribute Name) or attribute value that breaks the SAML XML response syntactically will not be supported.

For example, the following special characters are not supported as they break the syntax of XML:

& ampersand

< less-than

> greater-than

" double quote

' single quote

/ slash

Important: email, fname and lname are mandatory attributes. If any one of them is left blank, the system will not perform the required operation (create or update).

For information on how to set up these Attributes in the IdP refer the Setting up IdP for Cornerstone Saba's Application section.

The application trusts the information provided by the IdP. If the submitted credentials do not exist in the Cornerstone Saba database, then the SAML request creates the account. If the credentials already exist, then the SAML request updates the existing account.

To enable user account provisioning for a site:

Log in to Cornerstone Saba as the 'system admin' user.
Edit the SAML configuration under using System > Configure System > SAML SSO Setup > <MicroSite> > Edit > Configure Properties. For more details, refer to Configuring SAML single sign-on for each Microsite.
Update the following information.
- Enable User Information Update through SAML - If set to true, then you can update Cornerstone Saba user account information automatically through SAML. All those attributes that are passed and are supported by SAML user provisioning by IdP are automatically updated.
- Enable User Provisioning Through SAML - If set true, then you can create new Cornerstone Saba user accounts through SAML.
- Enable Person Number As Username - Set this to true, if the user should be logged in after validating the NameID, passed from the IdP against the Person Number field in Cornerstone Saba.
  Note: For this to work there should exist a SINGLE user, having the passed Person Number. For user provisioning, NameID will be used as Person Number instead of Person Number attribute field value. The Person Number attribute field will be ignored for user provisioning.
  If you enable this property, the "is Generated" property for the Person Number attribute should be set to false for the nameid to be set as Person Number in case of user provisioning.
- Enable Termination Date Update if Empty - true indicates, that the termination date will be updated even if it is empty, if the provisioning update is enabled for SAML. If the property value is set to false, then the termination date will be updated only if it is not empty.
Note: You can also choose to change the names of the following attributes in the SAML Configuration page:
- fname
- lname
- personno
- email
- manager
- managerusername
- timezone
- status
- gender
- locale
- organization
- organizationnumber
- homedomain
- homedomainname
- securitydomain
- securitydomainname
- address1
- address2
- address3
- city
- zip
- state
- country
- businesscardtitle
- persontype
- locationname
- locationnumber
- jobname
- jobcode
- custom0, custom1, custom2, custom3, custom4, custom5, custom6, custom7, custom8, custom9
Saves your changes.

Sample Attributes Statement that gets added to the authentication response

<saml2:AttributeStatement>
    <saml2:Attribute Name="fname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"	
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >Vishal</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="lname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >Sharma</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >ssharma@saba.com</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="timezone" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >Asia/Calcutta</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="personno" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >23232321</saml2:AttributeValue>
    </saml2:Attribute>
    <saml:Attribute Name="securitydomain">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >domin000000000200121</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="status">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >Retired</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="organization">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >cmpny000000000200020</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="gender">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >2</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="homedomain">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >domin000000000200121</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="locale">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >de_DE</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="manager">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >persn000000000001024</saml:AttributeValue>
    </saml:Attribute>
</saml2:AttributeStatement>

Sample Attributes Statement that gets added to the authentication response (with the replaced attributes: 'organization' with 'organizationnumber', 'homedomain' with 'homedomainname', 'securitydomain' with 'securitydomainname' and 'manager' with 'managerusername' )

<saml2:AttributeStatement>
    <saml2:Attribute Name="fname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" 
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >Vishal</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="lname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >Sharma</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >ssharma@saba.com</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="timezone" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >Asia/Calcutta</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="personno" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >23232321</saml2:AttributeValue>
    </saml2:Attribute>
    <saml:Attribute Name="securitydomainname�?>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >domin000000000200121</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="status">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >Retired</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="organizationnumber�?>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >00200020</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="gender">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >2</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="homedomainname�?>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >homeDomainName</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="locale">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >de_DE</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="managerusername�?>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string"
            >managerUserName</saml:AttributeValue>
    </saml:Attribute>
</saml2:AttributeStatement>