In the coming release of release R20d in August 2020, a feature is available to provision users in Calem based on SAML SSO. The feature allows an organization to centralize user management in its ID Provider. Calem provisions an authenticated user in Calem, or update the user settings accordingly.
- A user accesses Calem
- The user is redirected to its ID provider for authentication via SAML
- Upon authentication the user record is created Calem if not found. Otherwise, it's updated.
The following SAML attributes from an authenticated user may be used to provision a user record in Calem.
- Note that "Team ID" is deprecated. The team will be defined based on the Group Id in Calem from release R2022a (March 2022).
| Attribute | Mandatory |
| Full Name (givenname and surname) |
Y |
| User Id | Y |
| Y | |
| Group - mapped to Profiles in Calem | Y |
Plugins must be configured to enable user provisioning. A plugin includes business logic meeting the specific requirements of the integration for an organization.
- They are developed and released by Calem based on customer requirements.
- No plugin is configured out of the box.
- A plugin needs to be configured to enable the integration.
- For instance, "itiga" is the plugin Id to be enabled.
- The plugin is deployed to directory Calem_Home/server/modules/plugin/itiga/
- The following configuration needs to be added to calem.custom.php to enable it.
The user provisioning includes the following data integration points.
| 1. Direct Mapping - a SAML attribute is mapped to a field in Calem |
| 2. Lookup Mapping - a SAML attribute is mapped to a lookup field in Calem |
| 3. Default fields values |
| 4. Custom Handling - the custom business logic provided by a plugin |
| 5. Additional configuration - additional configuration data may be supplied in other files for a plugin. For instance, "itiga_conf.php" and "itiga_conf.custom.php", and "itiga_map.php" are included for "itiga" plugin. Additional information can be found in the README.txt file for a plugin. |
The following is the sample configuration for the data integration defined in calem.custom.php.
Option 1. Group by a Custom Plugin
The group Id is mapped to a set of ACL profiles in Calem. The first option is to use a custom plugin to provision ACL profiles, maintenance flag, team and organization. It requires the development of a custom plugin. This option provides more flexibility per customer requirements. It is the only option for cases that cannot be handled by option 2.
The second option is to use the profile set plugin in Calem. This plugin uses the profile sets configured in Calem to provision users authenticated by IdP (Id Provider).
- Menu: Organization | Open | Profile Sets.
- A profile set may be defined per team including the team, maintenance flag, job role, home site and ACL profiles for access control.
- A profile set may include more than one ACL profile.
- The attributes and ACL profiles of the profile set are used to provision or update the login user.
- A flag "No Provision" can be checked to turn off provisioning for users of this profile set.
- The name of the profile set needs to match the name of the group from the IdP (Id Provider).
- You may use the excel template file attached to prepare and upload profile sets.
Additional Resources