The instructions on this page apply to the latest on-premise solution of Enterprise Studio. For instructions for the cloud solution, please refer to Configuring SAML 2.0 for hosted Team Server and HoriZZon.
If you encounter any issues with respect to your SAML 2.0 configuration, please contact BiZZdesign Support.
The Team Server supports user synchronization and authentication with an external identity provider using the SAML 2.0 standard. To be able to use SAML 2.0, a new application needs to be registered with the identity provider, and the Team Server needs to be configured.
On this page:
Configuring user synchronization and authentication
- In the sidebar menu, click Settings > Authentication.
- On the authentication settings page, in Authentication, select identity provider SAML 2.0.
Leave HoriZZon URL empty.
- Create a BiZZdesign authentication app in your identity provider, using the following information:
Callback URL: Use the callback URL shown on the page when registering the application with your identity provider.
Assertion attributes: To be able to register users in the Team Server, add the shown parameters to the SAML 2.0 assertions in the application.
The member_of attribute is optional and only required if you intend to utilize groups.
After the new application has been created the Team Server can be configured.
- Enter the following details about the identity provider:
Identity provider metadata path: Enter the metadata path for the newly registered application.
Identity provider name: Enter a name for the identity provider. This is the name users will see when they go to the sign-in page of the Team Server or HoriZZon.
Service provider entity ID: Enter the entity ID of the Team Server. The entity ID must be written exactly the same as it is in the metadata file. If not filled, the entity ID will use the callback URL mentioned on this settings page.
- Under Group member removal, in Hours before removal, set the number of hours the group members must remain in the Team Server after they have been removed via just-in-time provisioning, to prevent data loss in case of mistakenly removed group members. After this time the group members will be removed from the Team Server.
- If you use group authentication, user access is configured via these groups. If you do not use group authentication or are not able to upon user provisioning, you can specify one or more default roles for all users to provide them access. If you do not define any default role, users will initially have minimal access.
Under Default roles, select the roles that the provisioned users need to have when signing in to the Team Server. The selected roles will be assigned to all users upon provisioning. For more information about roles, please refer to User roles and permissions.
- Click Apply to save the changes, and restart the Team Server for the configuration changes to take effect.
User provisioning and group membership
Users are provisioned just-in-time, meaning that they are added as user to the Team Server the moment they first sign in, provided that they have been granted access. Group membership is also registered just-in-time. Users are added and removed from groups the moment they sign in to the Team Server. The actual groups have to be created in the Team Server before members can be added just-in-time.
Users do not receive an e-mail notification (like manually added users do), and do not need to register with the Team Server to get access. Their user accounts are immediately ready for signing in and can be used directly for invitations to model packages and projects. For working with model packages and projects users must have been assigned the (Lead) Designer role.
Additional service provider settings for certain identity providers
The Team Server's service provider has preconfigured values for some settings that conflict with certain identity providers (including but not limited to ADFS 2.0/3.0 and Azure SAML). However, these settings are not available for configuration via the Team Server user interface. If you want to have these settings configured, please contact BiZZdesign Support.
This setting controls whether or not the Service Provider should send the NameQualifer. By default, the Service Provider is configured to include the NameQualifier in the AuthnRequest. Some Identity Providers do not accept NameQualifer when using nameid format "entity (i.e. urn:oasis:names:tc:SAML:2.0:nameid-format:entity), and so NameQualifier must be disabled in this case. Valid values are true (the default) and false (to disable).
This setting controls the Service Provider's session timeout value, which by default is set to 1 hour. Some Identity Providers have higher session timeout values, and so it may be necessary to change this setting's value to align with your Identity Provider's session timeout value. The setting is specified in seconds, so a valid value for 8 hours session timeout would be 28800.