SAML JIT (Just-In-Time) configuration sample
As of the March 2020 release, Alma’s SAML Integration supports creation and update of users on the fly, based on their information in the IDP.
The workflow is as following:
- User is authenticated by the IDP
- User exists in Alma?
- If yes – update this user’s information based on the SAML assertion
- If not – create an Alma user based on the SAML assertion
This article describes the various options for configuring the user creation and update.
For general information about the SAML integration in Alma, see here.
Configure your SAML integration profile
The relevant configuration is done as part of the SAML integration profile, in the “Self Registration” section:
To create users when they first login – activate the section and fill in the relevant fields.
To enable updates upon each login – check the “Update user upon login” checkbox.
There are two ways of mapping the user fields from the information received from the SAML IDP to Alma:
- Map specific SAML assertions to Alma user fields
- Convert the SAML XML using an XSL file to Alma’s User XML structure
Mapping SAML Assertions to Alma user fields
In order to map SAML assertions to Alma fields – click on the “Mapping of assertion fields to Alma fields” link.
In this mapping table, Target Code is an Alma field (which can not be changed), and Source-Text is the assertion as it appears in the SAML assertion.
When a user logs in, Alma will map the assertions according to the mapping table, into user’s fields. In case a field wasn’t found in the assertion – Alma will not assign it to the user and the user will be created without this field.
The defaults for User group, Resource sharing library and Statistical category will be taken from the definition in the Integration Profile.
Mapping SAML Assertion to Alma Using XSL file
In order to use XSL file, you need to upload an XSL file (please note you must click on “save” after loading the file). The mapping-table will be ignored.
The XSL input is SAML assertion, the output should be a rest_user XML (the same object that sent to Alma API).
When user logs in, Alma will take the XML SAML assertions, execute the XSL on it, and use an internal API call in order to update the user. Note that the SAML update is different from “PUT” – when sending partial user to PUT – all missing fields are deleted. But when using the SAML update-user – only sent fields will be updated. Unchanged fields will be kept.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <xsl:template match="/"> <user> <primary_id><xsl:value-of select="//saml2:AttributeStatement/saml2:Attribute[@FriendlyName='mail']/saml2:AttributeValue"/></primary_id> <first_name><xsl:value-of select="//saml2:AttributeStatement/saml2:Attribute[@FriendlyName='givenName']/saml2:AttributeValue"/></first_name> <middle_name>middle_name</middle_name> <last_name><xsl:value-of select="//saml2:AttributeStatement/saml2:Attribute[@FriendlyName='sn']/saml2:AttributeValue"/></last_name> <user_group>SOME_GROUP_CODE</user_group> </user> </xsl:template> </xsl:stylesheet>