We have gathered answers to some of the most common issues our customers encounter when implementing SAML for BRYTER. If you cannot find answers here, contact your BRYTER contact person who will be happy to help you succeed.
Identity Providers
- You can configure and test multiple identity providers at the same time. But only one can be used as the default.
- For technical reasons, the entity ID will be the same for all identity provider configurations on a tenant. Some identity providers don't allow using the same entity ID in multiple configurations. The workaround is to temporarily change the entity ID to the identity provider configuration that should be tested/used.
- You can update certificates in the identity provider configuration — as we do not support multiple certificates at the moment, please be extra careful. Providing the wrong certificate might result in users being unable to log in.
When switching to a new identity provider or amending an existing identity provider configuration, you cannot change the login URL in the identity provider configuration. The SSO link between the user on BRYTER and your identity provider would break. You must create a new configuration to forge a new SSO link between BRYTER and the new identity provider.
If you cannot select an identity provider as the default identity provider, you must configure role mapping. Click on Role mapping, amend the mapping and then click Create role mapping.
- When a configuration is displayed with a yellow background, the configuration is incomplete. This is usually due to missing role mapping. Complete configurations are displayed with a green background.
Supported technologies
- When using SAML, login accounts are managed through your identity provider. You must configure your two-factor authentication (2FA) with your chosen identity provider.
- SCIM (System for Cross-domain Identity Management) is currently not supported. If you require SCIM, please reach out to your BRYTER contact person.
Role mapping
- SAML always requires role mapping to be configured.
- Users can have multiple roles, depending on which role they were attributed in the role hierarchy (admin > author > user). For example, the admin role (the role with the greatest access to the system) has access and editing rights equivalent to users, authors, and admins.
- When configuring SAML, all existing users, authors, and admin accounts must exist in your identity provider — role attribution is always be taken from your SAML system. You can override user roles, set via the Admin Console, with role mapping defined in your SAML system.
User administration
- Where single sign-on is configured, all user administration must be completed in the identity provider interface not in BRYTER.
- Attributes and roles are updated when the user next logs in via your identity provider. Any changes are reflected in the User list in the Admin Console. Once users log into BRYTER using SSO, a lock icon displays in the SSO user column in the Admin Console.
- Mapping custom or additional attributes is currently not supported.
- To remove a user account, revoke the claims for the user in your identity provider.
- When an existing user, author, or admin logs in for the first time after SAML is activated, they must click the Add to existing account button displayed on the Welcome! screen and confirm their account through an activation link via email.
Definitions
|
Term or abbreviation |
Definition |
|
SSO |
SSO (Single Sign On) is a technology that enables users to authenticate to a system once and be authorized to use multiple applications and services. |
|
SAML |
SAML (Security Assertion Markup Language) is a technology enabling users to assert that they are who they say they are. |
|
Authentication |
The process of verifying the identity of a user (or process). Ensuring that the user (or process) is who they claim to be. |
|
Authorization |
Assigning roles to users to enable them to access different levels of information and perform specific functions based on those roles.. |
|
Identity provider (IdP) |
A cloud software service that stores and confirms user identities, usually via a login process |
|
Service provider (SP) |
A cloud-hosted application or service that a user wants to access. |
|
Assertion |
A message, from the IdP, via SAML, containing authentication, attribute, and authorization values to inform an SP that a user is signed in and authenticated. |
|
Role |
Bryter supports three roles: Admin, Author, and User. |
|
Mapping |
Bryter roles are mapped to assertions to enable users to access appropriate parts of the application or service. |
|
Claim |
Information that an IdP states about a user, typically contained in the SAML Attribute Statement. |
Error messages
| Message | Resolution |
| AADSTS900561: This endpoint only accepts POST requests. Received a GET request | The Login URL is misconfigured: use the POST binding |