Reputation: 1137
SAML user provisioning
I've setup an IdP and a first SP to start using SSO across our products. I'm new to SAML and I'm wondering when it comes to user provisioning, that is whether the user exists in the IdP database or not, is it the responsibility of the IdP ? Does SAML support the creation of users with the IdP in case they don't exist or is it a pre-requisite that they are already there ?
Upvotes: 0
Views: 363
Answers (2)
Reputation: 2744
You could use so called 'auto federation' on the SP side. This would create a 'user profile' on the SP side based on the attribute statements sent by the IdP in the SAML assertion. However the SP must support this.
Potentially you had this in mind when saying
Does SAML support the creation of users with the IdP
Upvotes: 1
Reputation: 46773
The function of an IDP (and more correctly an STS) is to authenticate and generate signed tokens.
What you are referring to is an Identity Manager which provisions users into a repository and handles password self-service etc.
Upvotes: 1
Related Questions
- SAML 2.0: Solicited vs Unsolicited SSO
- Salesforce-Auth0 JIT User Provisioning Failure
- How can I pre-fill email for SAML Google IDP?
- SAML SSO - received urn:oasis:names:tc:SAML:2.0:status:AuthnFailed error status on saml response from IdP
- OAuth2 with multiple SAML 2.0 IdPs - where to do IdP selection?
- How to setup initial user/role enabling SAML SSO