Managing groups using SAML
There are two available options when managing groups with SAML. These are described below and can also be combined.
SAML has no concept of groups, instead groups are assigned based on SAML attributes and attribute mapping controls which SAML attribute is used for group assignment. Typically, this is an attribute which can have multiple values, but this is not required. The name of the attribute depends on the identity provider.
Default groups
These are groups that are configured in Fotoware's SAML settings interface in the site configuration.
Go to Site Configuration > Security > Single Sign-on.
By defining at least one default group, all users who log in with SAML will be allowed access and placed in these default Fotoware groups on import.
For example, you can create a SAML Users group in Fotoware and add it as a default group. All users who log in using SAML SSO are placed in this group and assigned access to the system accordingly. In the example above, two default groups are defined: Everyone and Registered users. Users imported via SAML will be placed in these groups and assigned a license and permissions according to these groups' settings.
Linked groups
These are Fotoware groups that are linked to groups in the SAML Identity provider (IdP). When using ADFS, IdP is Active Directory.
When a user logs in with SAML SSO, they are added to one or more linked groups based on the group information obtained from the IdP.
For example, you can create a group called FW-Editors in Fotoware and configure it as a linked group so that all members of the Active Directory group AD-Editors are added to the corresponding FW-Editors group in Fotoware when they log in. This way, groups can be managed in the IdP, synced to Fotoware, and used for fine-grained access control based on group membership or other attributes set in the IdP.
Configuring a linked group
- Create a group in Fotoware.
- Set the group permissions, the license to apply to the group, and any parent group that the group should be ne sted in.
- In the group details, use the group attribute value that comes from the IdP as the SAML group name. In the example below, the value served by the IdP is adfs_editors.
- In the identity provider, configure an attribute mapping rule that sets the groups attribute to Editors for all users that are to be added to the Fotoware Editors group. For more information, see SAML - Fotoware Attribute Mapping.
How to perform this last step depends on the identity provider. For example, in Microsoft ADFS, you can add a claim rule (which is called an attribute mapping in SAML) of type Send group membership as claim, select an Active Directory group to be linked to the Fotoware group, set the outgoing claim type (= SAML attribute mapping) to Groups (or whatever SAML Property name is used for the Fotoware Member of (Group) property - see the screenshot above) and set the outgoing claim value to the value that corresponds to the SAML group name in the group details in Fotoware.
This is described below. For more information, see the Microsoft documentation: https://docs.microsoft.com/en-us/win...hip-as-a-claim.
In the following, ADFS is used to illustrate the attributes that need to be mapped. However, the same can be accomplished by configuring Fotoware with a SAML interface toward other Identity Providers.
Example: Mapping AD groups to Fotoware groups in Microsoft ADFS
- In the ADFS manager, right-click the selected trust and select Edit Claim Issuance Policy.
- The Claim Issuance Policy dialog opens. Add one rule for every group you'd like to link to Fotoware.
Note: In the above example, entry 3 in the list is the group claim. How to set up entries 1 and 2 (LDAP and Name ID mapping) is described later in this article.
- Select Add Rule... to create a new rule.
- From the drop-down list, choose Send Group Membership as a Claim.
- Enter the following information:
Claim rule name: The name used to identify the rule. Enter a name that allows you to easily identify it later.
Choice of group: Select the group to be synced to Fotoware. Use the Browse button to select a group in the identify provider (AD)
Outgoing claim type: Select the SAML Attribute Name corresponding to the Fotoware Member of (Groups) property - it's typically called groups unless you've changed the default value. See the first screenshots in the article for details. This allows Fotoware to identify the transferred claim as a group attribute.
Outgoing claim value: Enter a unique name to identify the group when linking it to a group in Fotoware. It does not have to have the same name as the group; the value should be identical to the SAML group name specified in the Fotoware group (adfs_editors was used in the example Fotoware group above - as in the example below),
It is also possible to specify multiple groups in the groups attribute separated by commas. For example, a value of group1,group2 will cause the user to be added to the linked groups where the SAML group name is group1 or group2. How to set the attribute like this depends on the identity provider. To our knowledge, it is not easily possible in ADFS.
- Select OK.
How are groups synchronized?
On login, the user will be removed from any linked groups that have a SAML group name that is not listed in the groups attribute. This allows an administrator to revoke a user's access to resources in Fotoware by, for example, removing the user from a group in Active Directory. In no event is the user removed from any groups that do not have a SAML group name (i.e. that are not linked groups).
A user is permitted to log in to Fotoware via SAML SSO if and only if the user is added to at least one linked group, OR if at least one default group is configured.
This means that if any default groups are configured, then all users that can successfully sign in via SAML SSO have permission to log in to Fotoware, and if no default groups are configured, then membership of linked groups can be used to control access to Fotoware in general. Note that most SAML identity providers have configurable access control of their own as well, so it is possible to configure access control even when using default groups.
Example: How to assign different user licenses to different user groups?
Based on the information above, this example illustrates how to control the assignment of user licenses (Standard, Plus, Pro) based on group membership in the IdP. Note that the example is based on Fotoware Feature Release 13 - it won't work with previous versions.
- Create a group called AD Pro Users in Active Directory and add all users/groups that should receive a pro license to it.
- Create a group called FW Pro Users in Fotoware and set the default license to Pro.
- Set the SAML name of the group to
pro_users.
- In ADFS, create a new Send Group Membership as a Claim rule.
- Select the AD group AD Pro Users.
- Set outgoing claim type (= SAML Attribute name) to
groups
(enter it manually, do not select from the drop-down list). - Set outgoing claim value to
pro_users
.
Licenses can now be managed in AD by adding/removing users/groups to/from the AD Pro Users group.
(All the names and identifiers can be varied. Names here are chosen as placeholders to illustrate which names must match and not).