Skip to main content

Hi All,

In PRA, we have a SAML security provider configured for user authentication and provisioning. User will only be provisioned when they first-time logged in.

Is there anyway we can pre-provision the users by LDAP/AD Group synchronization similar functionality as Password Safe (without using SCIM).

 

Thanks,

 

Adding more context to the requirement:

We are using group policies to assign jump groups, policies and roles. Currently we are assigning the user to group policies after their account provisioned through first login.

We have one AD group where all PRA users will be member of. We want to sync and pre-provision these users to PRA and assign the Group Policies to them even before they access the PRA for the first time. 
 


In the SAML Security Provider, I added LDAP Group Lookup. but I’m not able to figure out, how this can be useful for my use case. What is the purpose of adding groups from different provider?


Hi Prudhvi,

 

Please make changes in the user schema in your security provider settings. Please keep complete domain while searching and you would be able to see users in the provided security provider in the group policy. Add the users in them and mark these settings as the final. 

The users will still not be visible in the user list until they login in their console. Once they login they will be assigned in their group policy.

 

Please let me know if this helped. 

 

 

 

 


Is it fixed? 

 

What approach you used? ​@Prudhvi Keertipati 

 and ​@sonam 

 

Its treating AD user and SAML user differently even though they are same users?


HI Nazia , 

 its the way you want to authenticate these users. These are different methods, if you are authenticating through AD then you need to do the LDAP configuration and if it is SAML then you need to use SAML2 authentication. 

 

and yes they are 2 different entities. 

 

Regards,

Sonam


Hi Sonam,

 

Here is my scenario.

 

  1. I Have configured AD for domain login and Ideally I should assign permissions to AD users and even though they login through SAML or do domain login they should see the assets assigned for domain account.
  2. But in this case of PRA we now how 2 users with same account one from AD an another from SAML.
  3. If user login with SAML he will not see any asset as we have assign it on AD account and not the account of SAML.

What we want to do it irrespective of users login mechanism permissions should only be through AD account.

 

Is it something doable and what configuration required.

 

As in our case if use login from outside network they will use SAML but if they login within network they will use AD login.

 

Regards,

Naziya.


Hi Yasmin, 

 

In either case you can create jump groups with required users to ensure that they have required systems to access.

 

Regards,

Sonam


Hi Sonam,

 

My concern us really not assigning permission, my concern is why do I have to do same activity twice for same user ( we only want to have different login mechanism thats it) once login inside PRA there should be only one profile for a user.


HI Naziya, 

Can you please share the security provider settings. As per my understanding you must have configured two authentication mechanism. LDAP and SAML .. the users identity are completely different in both , their names may be same. but it is considering them different because one entity cannot verify from the other other. but in console you are able to see them same. but according to the console they both are different as they come from different authentication mechanism.

 

Regards,

Sonam


Hi Sonam,

 

Yes we have 2 Security providers.


Hi Naziya, 

 

As previously stated, these are 2 different entities so the users are treated differently.

 

Regards,

Sonam


Hi ​@Naziya

As ​@sonam mentioned, LDAP (AD) and SAML are 2 different entities in PRA, even though AD and SAML user account belongs to same user.

We ended up completely removing AD as a Security Provider. We are using PingFederate Outbound Provisioning to provision users with SCIM and PingFederate SSO for authentication. In the backend, PingFederate will pull the users from same AD group for provisioning and SSO. In PRA, for SAML security provider, select SCIM for Provisioning.


@Prudhvi Keertipati  - Did you able to get some workaround or fix for this issue?

We are also having similar issue in one environment where we are using Entra ID as SAML provider and users has to be logged in for the first time before you assign the policies or the user ID starts reflecting in PRA. I guess your issue is also same, please confirm. 


@mj15  Yes, I have a same use case.

As I mentioned in my earlier reply, we are using Outbound Provisioning to provision the users first using SCIM Security Provider that way user accounts are already created and policies applied even before user login for the first time. Then user can login using SAML Security Provider.

In your case, In EntraID Enterprise Applications of your app, there will be Provisioning option which you can use to provisioning the users via SCIM provider. 

In the PRA, For Entra ID SAML Security Provider, in the user provision option, select SCIM provider. this way user will be pre-provisioned with required polices even before they login. 


Reply