SAML JIT (Just-In-Time) configuration sample
As of the March 2020 release, Alma’s SAML Integration supports creating and updating users on the fly, based on their information in the IdP.
The workflow is as following:
- User is authenticated by the IdP
- User exists in Alma?
- Yes – update the user’s information based on the SAML assertion
- No – create an Alma user based on the SAML assertion
This article describes the various options for configuring the user creation and update.
For general information about the SAML integration in Alma, see here.
Configure SAML JIT integration profile
The relevant configuration is done as part of the SAML integration profile, in the “Self Registration” section:
To create users when they first login – activate the section and fill in the relevant fields.
To enable updates upon each login – check the “Update user upon login” checkbox.
There are two ways of mapping the user fields from information received from the IdP into Alma:
- Map specific SAML assertions to Alma user fields
- Convert the SAML XML using XSL to Alma’s User XML structure
Mapping SAML Assertions to Alma user fields
In order to map SAML assertions to Alma fields – click on the “Mapping of assertion fields to Alma fields” link.
Configure the mapping table if needed.
When a user logs in, Alma will map the assertions into user’s fields. In case a field wasn’t found in the assertion – Alma will not assign it to the user and the user will be created without this field.
The defaults for User group, Resource sharing library and Statistical category will be taken from the definition in the integration profile.
Mapping SAML Assertion to Alma Using XSL file
In order to use XSL transformations, you need to upload an XSL file (please note you must click on “save” after uploading the file).
The input for the XSLT is the SAML assertions XML and the output should be a Rest User XML (the same object that is sent to Alma’s API).
When a user logs in, Alma will take the XML SAML assertions, execute the XSL on it, and use an internal API call in order to update the user. Note that the SAML update is not exactly the same as a PUT request: when sending a partial user to PUT – all missing fields are deleted. But when using the SAML update-user – only sent fields will be updated and unchanged fields will be kept.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <xsl:template match="/"> <user> <primary_id><xsl:value-of select="//saml2:AttributeStatement/saml2:Attribute[@FriendlyName='mail']/saml2:AttributeValue"/></primary_id> <first_name><xsl:value-of select="//saml2:AttributeStatement/saml2:Attribute[@FriendlyName='givenName']/saml2:AttributeValue"/></first_name> <middle_name>middle_name</middle_name> <last_name><xsl:value-of select="//saml2:AttributeStatement/saml2:Attribute[@FriendlyName='sn']/saml2:AttributeValue"/></last_name> <user_group>SOME_GROUP_CODE</user_group> </user> </xsl:template> </xsl:stylesheet>