There are two primary options to consider when adding SAML users: SAML Strict Mode and Just-in-Time Provisioning. The following describes each and the options for inviting users with the four potential configurations.
Strict Mode
When enabled, users will only be able to log into your Split account through your company’s SSO. As an alternative to Split’s shortcut in your company’s IdP, users may follow the Single Sign-on URL found on the SAML tab in the Admin panel. Any user may still set up a password, either through My Settings or after creating an account through an invite link, but will get the following message when attempting to log into Split using username and password:
Just in Time Provisioning
When enabled, if a user successfully authenticates through SSO but doesn’t yet exist in Split, it will be automatically provisioned and logged into Split. Note that new users can still be added through invites via the admin panel, but in such cases, the user must first complete registration through the invite link before logging into Split through SSO. We recommend not sending invites for users that have Split available through SSO when JIT is enabled, and especially if Strict mode is also enabled.
Inviting Users
BOTH Strict Mode and JIT are NOT checked
- Invite users via the Invite tab under Users in Admin Settings. This will send an email to users with a link, which they can then follow to complete their registration.
- Since the user can establish login credentials with Split they will be able to create a password and log in either via username/password or SSO.
Strict Mode only checked
- You will invite users via the Invite tab. Users will need to log in one time via username and password.
- After that, users will need to log in via the SSO portal.
- As an alternative, the user can connect using the Single Sign-on URL found on the SAML tab.
JIT only checked
- Add a user via the SSO portal. You can add a user via an invite, in which case the first login must be through the invite.
- If the user does not accept the invite when you subsequently try to add via the portal an error will be thrown and you’ll need to contact support.
- If added through the portal, the first time they log in must be via the portal, which will create a user in Split and log them in.
- Once logged in they can create a password in My Settings. If added via an invite they will create a password when they respond to the invite.
- They can log in either via SSO or username/password.
Strict Mode and JIT checked
- The best practice is to add via the portal. If added via the portal the first time they log in must be via the portal, which will create a user in Split and log them in.
- You can add a user via an invite, in which case the first login must be through the invite. That will be the only time they log in using username and password.
- If the user does not accept the invite if you subsequently try to add via the portal an error will be thrown and you’ll need to contact support.
- All subsequent logins must be via the portal or the Single Sign-on URL. Or they can put in just their email address on the login page to get redirected and logged in via most SSO implementations.
Using SCIM
- If SCIM is enabled to work with your SSO-strict mode account user provisioning to create, update, and deactivate members in Split is done directly via your IdP.
- You must add new users in the IdP to give them access to Split. You can't invite new users using Split.
- Any existing open invites are revoked.
- User management actions such as deactivate and activate are disabled in Split. IdP administrators control user management.
- Groups that are synced from the selected IdP are uneditable in Split. If you want to change the members in a group, the administrators must push them over.
Comments
0 comments
Please sign in to leave a comment.