In a multi-tenant CommCell environment, service providers can configure SAML authentication for all tenants by configuring SAML authentication at the CommCell level. When set at the CommCell level, SAML authentication applies to all companies in the CommCell environment.
To configure SAML authentication at the CommCell level, you must map a company name attribute. The value sent in the company name attribute must match the value in the Company alias box on the company details page. If a matching company alias is not found, the user cannot log on. If a value is not sent in the company name attribute, a new user is created at the CommCell level and is not associated with a company.
Note: When you configure SAML authentication at the CommCell level, advise tenants to not configure SAML authentication at the company level.
Before You Begin
Add a SAML application. For instructions, see Adding Identity Servers.
In the identity provider (IdP) response, identify the attribute that is used for the company name. The attribute can be a standard attribute or a custom attribute.
Compile a list of all the SMTP addresses for all the tenant users.
From the navigation pane, go to Manage > Security > Identity server.
The Identity servers page appears.
In the Name column, click the application name.
The application details page appears.
Under Attribute mappings, click Edit.
The Edit attributes dialog box appears.
Click Add mappings.
In the SAML attributes box, enter the attribute that is used for the company name in the IdP response.
For example, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/organization.
In the User attributes list, click Company name.
To identify the users who must be authenticated by using SAML, create a redirect rule that includes all the possible SMTP addresses for the tenant users:
Under Identity redirect rule, click Add identity redirect rule.
The Add identity redirect rule page appears.
In the Domain name box, select an existing domain, or type a new domain name.
If the company name attribute is not sent in the response or if a value for the company name attribute is not sent, a new user is created at the CommCell level and is associated with the domain instead of with a company.
In the Associated SMTP box, enter an SMTP address, and then click Add.
The SMTP address identifies the users who must be authenticated by using SAML.
For information about mapping additional SAML attributes, see Mapping SAML Attributes.