Tech Blog

SAML JIT (Just-In-Time) configuration sample

As of the March 2020 release, Alma’s SAML Integration supports creating and updating users on the fly, based on their information in the IdP.

The workflow is as following:

  • User is authenticated by the IdP
  • User exists in Alma?
    • Yes – update the user’s information based on the SAML assertion
    • No – create an Alma user based on the SAML assertion

This article describes the various options for configuring the user creation and update.

For general information about the SAML integration in Alma, see here.

Configure SAML JIT integration profile

The relevant configuration is done as part of the SAML integration profile, in the “Self Registration” section:

To create users when they first login – activate the section and fill in the relevant fields.

To enable updates upon each login – check the “Update user upon login” checkbox.

There are two ways of mapping the user fields from information received from the IdP into Alma:

  1. Map specific SAML assertions to Alma user fields
  2. Convert the SAML XML using XSL to Alma’s User XML structure

Mapping SAML Assertions to Alma user fields

In order to map SAML assertions to Alma fields – click on the “Mapping of assertion fields to Alma fields” link.

Configure the mapping table if needed.

When a user logs in, Alma will map the assertions into user’s fields. In case a field wasn’t found in the assertion – Alma will not assign it to the user and the user will be created without this field.

The defaults for User group, Resource sharing library and Statistical category will be taken from the definition in the integration profile.

Mapping SAML Assertion to Alma Using XSL file

In order to use XSL transformations, you need to upload an XSL file (please note you must click on “save” after uploading the file).

The input for the XSLT is the SAML assertions XML and the output should be a Rest User XML (the same object that is sent to Alma’s API).

When a user logs in, Alma will take the XML SAML assertions, execute the XSL on it, and use an internal API call in order to update the user. Note that the SAML update is not exactly the same as a PUT request: when sending a partial user to PUT – all missing fields are deleted. But when using the SAML update-user – only sent fields will be updated and unchanged fields will be kept.

Note: When using an XSL file, only the fields produced by the XSL will be mapped to the user. The mapping-table will be ignored.
Following is a sample of an XSL that creates a user with 4 fields:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<xsl:template match="/">
<user> 
  <primary_id><xsl:value-of select="//saml2:AttributeStatement/saml2:Attribute[@FriendlyName='mail']/saml2:AttributeValue"/></primary_id>
   <first_name><xsl:value-of select="//saml2:AttributeStatement/saml2:Attribute[@FriendlyName='givenName']/saml2:AttributeValue"/></first_name>
   <middle_name>middle_name</middle_name>
   <last_name><xsl:value-of select="//saml2:AttributeStatement/saml2:Attribute[@FriendlyName='sn']/saml2:AttributeValue"/></last_name>
<user_group>SOME_GROUP_CODE</user_group>
</user>
</xsl:template>
</xsl:stylesheet>

Leave a Reply