wendyguo | Posts: 74

SSO identity provider

0 votes

 

Hi,

Per https://community.onespan.com/documentation/onespan-sign/guides/admin-guides/user/configuring-your-identity-provider: link,

 

On Identity Provider, configure the following Attribute Mappings (OneSpan Sign will use them to identify the user who is logging in):

 

What is accountId? Who should generate the accountID?

 

Thanks

 

Wendy

Image removed.


Duo_Liang | Posts: 3776

Reply to: SSO identity provider

0 votes

Hi Wendy,

 

Only signer/sender's firstname, lastname and email will be used to match with OSS database, if you switch to other three tabs in this guide, and search by "Attribute Statements" or "Claim Rule", you will see only these three attributes are mandatory to be sent via SAML.

 

Duo


Duo_Liang | Posts: 3776

Reply to: SSO identity provider

0 votes

Hi Wendy,

 

I was advised that the other attributes are for use cases when the same SAML configured in many accounts in same instance.

 

Also, for the note "If you want to configure an Identity Provider only for "recipients" (not members of a OneSpan Sign account), specify only the parameter email. You don't need to specify a first name or last name ." - you may already knew that OneSpan Sign started to support "Multiple Signer share the same Email" since version 11.36. So for your future upgrade's concern, it might be better if you pass all first/last name and email through SAML for both signer and sender SSO use cases.

 

Duo


Duo_Liang | Posts: 3776

Reply to: SSO identity provider

0 votes

Hi Wendy,

 

Please be aware that these two attributes are ONLY necessary if you want OSS system to auto-provision new senders to a specific account during their first login. (In other word, if all your senders have existing OSS accounts, you don't need to configure these two attributes)

In case you have the same SAML configured in multiple accounts across the same instance, you will need to add additional attributes to associate the sender to the specific account. 

  • accountid: This claim should be mapped to an active directory attribute that contains the owner account's accountID - aka account UID you saw in backoffice.
  • type: This claim should be mapped to an active directory attribute that is either a "Regular" value, or a "Manager" value - the user type that will be granted to the sender.

Duo


wendyguo | Posts: 74

Reply to:

0 votes

Hi Duo,

Now I undersand accountID is OSS accountUID, But I am not quite understand type? Are you telling me if type is defined as Regular in AD, then it will map to OSS user role Regular? if the type is defined as Manager in AD, then it will map to Manager role in OSS? Only two type Regular and Manager are available?

Thanks

Wendy


Duo_Liang | Posts: 3776

Reply to: SSO identity provider

0 votes

Yes, before Roles & Permission feature, OneSpan Sign has two sender types "Regular" or "Manager".

 

Duo


wendyguo | Posts: 74

Reply to:

0 votes

Hi Duo,

 

If that is case, Owner should be set as Manager, sender can be set as either Regular or Manager, right?

Here is what I understand:

Let's say I create owner account [email protected], I can get this owner accountUID from backoffice, let's say uid is accountUID1234
then I create 3 sender account under this owner account in OSS
[email protected]
[email protected]
[email protected]

On Azure Active Directory Identity Provider, configure the following Attribute Mapping

for [email protected]
email : [email protected]
firstname: owner firstname
lastname: owner lastname
accountid: accountUID1234
type : manger 

for sender account:
email : [email protected]/[email protected]/[email protected]
firstname: sender firstname
lastname: sender lastname
accountid: accountUID1234
type : general /Manager

 

Am I right?

Thanks

Wendy


Duo_Liang | Posts: 3776

Reply to: SSO identity provider

0 votes

If you created OSS sender already, you don't need to add "accountid" and "type". Only needed when you skipped the user provision, and let the OSS system auto-provision senders when their first login.

 

Duo


wendyguo | Posts: 74

Reply to:

0 votes

For owner account, I have to first create this owner account in OSS and specify account UID in AD, right? Only Owner account has accountUID, sender account dones't have accountUID, right?

Thanks

Wendy


Duo_Liang | Posts: 3776

Reply to: SSO identity provider

0 votes

Hi Wendy,

 

The same rule applied to account owner as well - since the account owner already has an OSS account and uniquely associated to the account, you don't need to specify accountid and usertype. In a nutshell, given your scenario, you are not necessary to specify these two attributes in your AD.

 

Duo


wendyguo | Posts: 74

Reply to: SSO identity provider

0 votes

Hi Duo,

Let's have another example. I plan to have a owner account A and this owner account will have two sender accounts. B and C. and none of these three accounts have an OSS account. I want the OSS system auto-provision them when their first login. How do I define them in AD?

For owner account A, On Azure Active Directory Identity Provider, how to configure the following Attribute Mapping

email : owner account A email  (No issue here) 

firstname: owner firstname
lastname: owner lastname 
accountid: which accountUID should I put here? tenanat account UID? This account has not been created in OSS, so we don't have its own accountUID.
type : manger 

How does OSS know account A will be the owner account? Because it's type is manger, account A will automatically become a owner account? Or OSS don't know if account A is owner account or not at this moment, we have to finish the following steps, then OSS will know it is owner account?

Once the account A has been defined in AD, account A have to login in OSS, once account A first login in OSS, then it will have accountUID,  then we can use this accountUID to configure the two sender account in AD. In this way, OSS will know these two sender accounts are under owner account A. Am I right? If not, could you please let me know how to do it properly?

Thanks

Wendy


Duo_Liang | Posts: 3776

Reply to: SSO identity provider

0 votes

For account owner, you have to manually created the account, otherwise there won't be an account ID and OSS won't know whom to be the account owner, and of course to provision an account required more information then to invite an sender. 

 

Duo


Duo_Liang | Posts: 3776

Reply to: SSO identity provider

0 votes

Yes, you are correct!

 

Duo


wendyguo | Posts: 74

Reply to: SSO identity provider

0 votes

Hi Duo,

I know the sender have to provision in OSS, Does the signer have to provision in OSS? I mean if Singer have to create a account in OSS or not? My understanding is Signer don't need to have a account in OSS. Signer only need to be configured in AD. Am I right?

Thanks

Wendy


Duo_Liang | Posts: 3776

Reply to: SSO identity provider

0 votes

Hi Wendy,

 

Yes, signers don't have to be OSS accounts, just need to add them in your AD.

 

Duo


wendyguo | Posts: 74

Reply to:

0 votes

If Signer has an OSS accounts, but I don't want this Signer to be a sender, what can I do? My understand is if signer has an OCC account and its type is Regular, then this Signer will become sender, right?

Thanks

Wendy


Duo_Liang | Posts: 3776

Reply to: SSO identity provider

0 votes

Actually the "accountid" and "type" two attributes won't be validated if it's a signer SSO scenario - signer SSO is to access a Signing Ceremony while  sender SSO is to access the sender dashboard. If that's your concern.

 

Duo


wendyguo | Posts: 74

Reply to: SSO identity provider

0 votes

how to decide it is signer SSO or sender SSO?

Thanks

Wendy

 


Hello! Looks like you're enjoying the discussion, but haven't signed up for an account.

When you create an account, we remember exactly what you've read, so you always come right back where you left off