I plan to setup SAML on my Xibo instance soon, and I was curious about a few things:
As this was always the plan for when 1.8.0 was released, I assigned usernames that matched the person’s SSO user name. Once SAML is enabled, will those accounts immediately make use of the password from the identity provider?
How are accounts provisioned in Xibo at that point? Currently, if I want to add a user, it usually requires a password be assigned on creation – will that requirement go away once the SAML is enabled?
Once SAML is enabled, is there a way to specify certain accounts not to use SAML (all of our systems require master admin accounts that don’t authenticate via SSO for cases when SSO is down or if the connection breaks somehow)
Existing accounts that match your SAML provider will be linked automatically yes.
There’s is no account provisioning in Xibo once SAML is enabled. When the SAML IdP authorizes a login, an account is made in Xibo if one doesn’t exist already for that username.
SAML is all or nothing I’m afraid. Once it’s enabled, the only logins available are those authorized by the IdP.
In the event that the IdP is offline, you can reconfigure Xibo to not use it, and then at that point log in with legacy usernames and passwords.
Thanks for this information. Are there plans to make account provisioning work at some point? As I’m sure you could imagine, some people may not want global access to their system via any SSO account. I’m guessing there are ways to limit the access of automatically created accounts.
The IdP is where you would limit access, not with the application. Xibo has no knowledge of your users or what roles they hold. All it can do is ask the IdP whether the person being referred should be logged in or not.
Certainly with Google GSuite as the IdP, you can limit who is allowed to use the IdP to authenticate for that service. I believe the same is true for Windows ADFS.
In the Xibo side configuration, you configure what groups a user is initially assigned to. From there, you would manually grant additional permissions as required after the user has logged in for the first time.