Just in Time SAML Provisioning

Topics included in this article:

• What is Just in Time Provisioning
• IDP (Identity Provider) Setup
• Team Name Requirements
• Helpful Links
• Contact Support or Sales

What is Just in Time Provisioning

Just in Time SAML (Security Assertion Markup Language) provisioning allows authorized SAML user accounts to be created dynamically in the Rhombus Console when a new SAML user tries to log in to the Rhombus web or mobile console for the first time.

IDP (Identity Provider) Setup

With Just in Time SAML, the IDP should be configured to send SAML role or group attributes as shown below. The values of the role/group attributes must match with one of the security roles that have been created in Rhombus.

In the example below, note that the Group Attribute is Super Admin Group just as it is in the Rhombus console.

<AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

<Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Super Admin Group</AttributeValue>

<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Internal Admin</AttributeValue>

</Attribute>

</AttributeStatement>

If the role/group SAML attributes cannot be enabled on the IDP, “Add Users on Role Mismatch” can be enabled to allow Just in Time account creation without any Rhombus security roles attached to the user.

Please note that user accounts created without any security roles will have no access to any cameras and resources in the Rhombus console. An admin will still need to manually assign a Rhombus security role to the new user. Currently, the feature of using "Add users on Role Mismatch" in the Rhombus console is not operating correctly.

Team Name Requirements

Rhombus requires SAML users to set up a Team Name. It is recommended to configure the Team Name to the domain name of the customer's email address domain.

• For example, if the company email is something like xzy@rhombussystems.com, then the Team Name is recommended to be configured as rhombussystems given that the Team Name is still available.

Please Note: If the Team Name does not match the domain name, the user will not be auto-recognized and instead will be required to use the SSO login option. 

Helpful Links

• SCIM Setup for SSO
• Frequently Asked Questions about SSO with Rhombus

Contact Support or Sales

Have more questions? Contact Rhombus Support at +1 (877) 746-6797 option 2 or support@rhombus.com.

Interested in learning more? Contact Rhombus Sales at +1 (877) 746-6797 option 1 or sales@rhombus.com.