Yes, you can configure and test multiple identity providers at the same time. But only one can be used as default.
❗ Please note: For technical reasons the entity ID will be the same for all identity provider configurations on a tenant. Some identity providers don't allow using the same entity ID in multiple configurations. The workaround is to temporary change the entity ID to the identity provider configuration that should be tested / used.
No, role mapping is always required.
Yes, depending on which role users were attributed in the role hierarchy (admin > author > user), they can have multiple roles. For example, if a user has an admin role (the "highest" role), they have access and editing rights of users, authors and admins.
If we configure single sign-on, can we still use the Admin Console to add new users, authors or admins?
No, you have to manage users in your identity provider.
Attributes and role will be updated as soon as the user logs in again through your identity provider. This will be reflected in the User list in the Admin Console. Once users log into BRYTER using SSO, a little lock symbol appears in the column SSO user.
Remove the user (or revoke the necessary claims for the user) in your identity provider.
All existing users, authors, and admins also need to exist in your identity provider. Please note that the role attributed will always be taken from your SAML system. This means you can override the previously set user role in the Admin Console with the role mapping defined in your SAML system.
If an existing user, author or admin logs in for the first time after SAML was activated, they will see the below screen and need to click on Add to existing account and confirm their account through an activation link sent via email.
If you use SAML, the login is managed through your identity provider. So two-factor authentication (2FA) needs to be configured on your side. with the chosen identity provider.
No, SCIM is currently not supported. If you require SCIM, please reach out to your customer success manager.
No, mapping of custom or additional attributes is currently not supported.
You can do this in the identity provider configuration.
❗ Please note: As we do not support multiple certificates at the moment, please be extra careful as providing a wrong certificate might result in a broken login.
I want to switch to a new identity provider or to a new identity provider configuration. Why can't I change the login URL in the identity provider configuration?
In this scenario, the SSO link between the user on our system and your identity provider would then be broken. You need a new configuration in this case which will result into a new SSO link between our system and the new identity provider (configuration).
If a user already existed before in the Admin Console (either through manual creation or from a previous identity provider) they need to confirm their account. They need to click on "Add to existing account" and then confirm to link their account through the email they will receive.
I cannot select the identity provider as default identity provider. What can I do to resolve this issue?
You have to configure role mapping first. First, click on "Role mapping", optionally change mapping and then click on "Create role mapping".
If your configuration is incomplete, for example due to missing role mapping, you cannot activate SAML successfully. This will be visually highlighted in yellow and indicates that some information is missing.
Only completed configurations will be displayed with a green background color.