Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP).
SAML authentication allows a user to use SAML assertions in order to login to the platform. If configured permission tags can be extracted from the SAML assertion and can be used to facilitate external management of organization membership and user security roles.
This feature is available to Algorithmia Enterprise users who have configured SAML and external organization management functionality only.
- Allowing user login through SAML
- Using an external management platform for user permission(admin/sudo)
- Using an external management platform for granting/revoking organization membership/administration privileges
- Creating local users that represent validated users verified through SAML
- If the system is configured to accept these tags for SAML login and an attribute with the configured name is not included in your assertion an error will be thrown, if an empty array is provided for this attribute then all permissions will be removed.
Logging in with SAML
To enact a Service Provider based login please click on the sign in with SAML button on the login page, you will either be auto logged in or redirected to your identity provider to confirm your credentials.
Creating a non existing user
If a valid SAML assertion is used and properly verified the nameId or configured identifier field will be matched to an existing users external_id. If no user with such an external_id exists one will be created, the external_id and username of the user will match the value found in the nameID or configured identity field in the assertion, if an email field is supplied under the configured key this will be filled in for the new user as well.
Changing a users platform permissions
If the permission tags found in a users assertion with the tag “memberTag1” included in the configured attributes value array and match those that have been configured for platform and cluster admin access then a user will be automatically upgraded to the given role.
Changing a users organization roles/membership: Adding organization management tags to organization objects
When creating or updating an organization you can provide a list of “tags” which are used in the configured SAML assertion attribute to signify what organizations the user is a member or admin of. Upon login with the SAML assertion the system will automatically synchronize the user with the groups that share these “tags”. They can be comma delimited as shown below.
If a user shared a tag that is held in “External Admin Group” then they will become an admin of this group. If they share a tag that is held in “External Member Group” then they will become a member of this group. If they hold both they will be marked as an admin of this group.
Changing a users organization roles/membership: Assertion content
If the permission tags found in a users SAML assertion match those that have been configured for a given organization then a user will be automatically added to the organization with the given role. For instance if an assertion with the tag “memberTag1” included in the configured attributes value array, and the organization is configured to add members based off of the “memberTag1” tag then a user will be made a member.
If you’re new to Algorithmia and would like to learn more about our product and using SAML for authorization, please contact our sales team. We’d love to hear from you!