In the coming release of release R20d in August 2020, a feature is available to provision users in Calem based on SAML SSO. The feature allows an organization to centralize user management in its ID Provider. Calem provisions an authenticated user in Calem, or update the user settings accordingly.
- A user accesses Calem
- The user is redirected to its ID provider for authentication via SAML
- Upon authentication the user record is created Calem if not found. Otherwise, it's updated.
The following SAML attributes from an authenticated user may be used to provision a user record in Calem.
|Full Name (givenname and surname)
|Group Id - mapped to Profiles in Calem||Y|
Plugins must be configured to enable user provisioning. A plugin includes business logic meeting the specific requirements of the integration for an organization.
- They are developed and released by Calem based on customer requirements.
- No plugin is configured out of the box.
- A plugin needs to be configured to enable the integration.
- For instance, "itiga" is the plugin Id to be enabled.
- The plugin is deployed to directory Calem_Home/server/modules/plugin/itiga/
- The following configuration needs to be added to calem.custom.php to enable it.
The user provisioning includes the following data integration points.
|1. Direct Mapping - a SAML attribute is mapped to a field in Calem|
|2. Lookup Mapping - a SAML attribute is mapped to a lookup field in Calem|
|3. Default fields values|
|4. Custom Handling - the custom business logic provided by a plugin|
|5. Additional configuration - additional configuration data may be supplied in other files for a plugin. |
For instance, "itiga_conf.php" and "itiga_conf.custom.php", and "itiga_map.php" are included for "itiga" plugin.
Additional information can be found in the README.txt file for a plugin.
The following is the sample configuration for the data integration defined in calem.custom.php.
$_CALEM_dist['saml_conf']['user_provision_map']=array( //Direct mapping to saml attr 'direct'=>array( 'username'=>'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/objectidentifier', 'email'=>'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' ), //Saml attr is a lookup value 'lookup'=>array( ), //Default values to set 'defaults'=>array( 'login_allowed'=>1, 'status_id'=>'us_active', 'site_id'=>'1000000' ), //custom logic, value is attr or null (indirect attributes) 'custom'=>array( 'team_id'=>'TeamCompany', 'profle_id'=>'EAMGroupId', 'full_name'=>null ) );