In this article you will learn everything about the possibilities of a SAML connection to presono.
presono supports the Single-Sign-On (SSO) login via SAML. For this purpose there is an interface to presono which has to be set up. The SAML interface is used in presono exclusively for user and rights management.
Via this interface, users are assigned to the corresponding user groups in presono each time they log in.
So there are user groups in SAML and in presono. They are assigned to each other via the interface. If a user is assigned to a user group in SAML, which is also connected to a group in presono, the user can log in to presono via SAML and is automatically assigned the rights of the respective group. A user group can also refer to several groups in presono and vice versa.
Thus, users no longer have to be created in presono, but are automatically created and assigned to the corresponding permission groups in presono as soon as the users log in to presono via SAML, provided that they have groups for this in SAML. The users will then also appear in the presono UI only once they have logged in, as only then will the user be created.
It is also possible to configure whether the users that are brought into the tool via SAML should have their own workspace or not.
If SAML is already used by the customer, the interface can be used on both sides and the connection can be done individually. This is of course done in cooperation with the presono team.
If the login was set up via SAML, the SAML login screen will appear instead of the presono login screen (URL: https://my.presono.com). Users cannot log in via the presono login screen, so they will be redirected directly to the SAML page.
If desired, individual users can of course still be invited and managed via presono exclusively. They can still log in via the presono login screen. This can be reached on the browser at https://my.presono.com/login and in the desktop app you have to press Ctrl+L when on the SAML login screen. This will redirect you to the presono login screen.
The permission assignment in presono itself also remains unchanged - some or all groups are then only connected to SAML groups.
Technical Background
We use Auth0 (auth0.com) as a service for our authentication mechanisms. Auth0 handles the mediation between the customer's Active Directory and presono in the ADFS configuration.
The previous integrations were implemented via ADFS (Active Directory Federation Services). To do this, our Auth0 tenant is created as a Relying Party and then the following claims are passed along:
- Email-Address
- Display-Name
- User-Principal-Name
- Given-Name
- Surname
- Groups (or custom roles)
Auth0 then also takes over the forwarding to presono if authentication is successful.
Management in presono
To be able to manage the SAML settings in presono, the group right must be set for it:
Once the SAML interface has been set up, the references can be entered in the groups in presono. A new tab with "SAML references" appears on the far right of the group administration. Various references can be entered there. This way, the SAML groups will be mapped with the presono groups.
In the configurations, it can then be set for the entire platform whether the users created via SAML should have a personal workspace or not.
