Just in Time SAML Provisioning

Just in Time SAML provisioning allows authorized SAML user accounts to be created in Rhombus dynamically when a new SAML user tries to login to the Rhombus web or mobile console for the very first time.

IDP Setup:

With Just in Time SAML, the IDP should be configured to send SAML role or group attributes as shown below. The values of the role/group attributes must match with one of the security roles that have been created in Rhombus.

In the example below, note that the Group Attribute is Super Admin Group just as it is in the Rhombus console.

<AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

<Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Super Admin Group</AttributeValue>

<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Internal Admin</AttributeValue>

</Attribute>

</AttributeStatement>

If for any reason, role/group SAML attributes cannot be enabled on the IDP, “Add Users on Role Mismatch” can be enabled to allow Just in Time account creation without any Rhombus security roles attached to the user. Please note that user accounts created without any security roles will have no access to any cameras and resources in the Rhombus console. An admin will still need to manually assign a Rhombus security role to the new user.

Team name:

Rhombus requires SAML users to setup a Team Name. It is recommended to configure the Team Name to the domain name of the customer's email address domain.  For example, if the company emails are xzy@rhombussystems.com, then the Team Name is recommended to be configured as rhombussystems given that Team Name is still available.  The reason for this recommendation is that Rhombus uses the email domain name to auto detect the SAML settings.  If a non-matching Team Name is used, users are then required to use the SSO Login option on the login page which will allow input of a Team Name along with email address to get redirected to the appropriate configured SMAL IDP.

If you have any further questions please reach out to our Rhombus Support at help@rhombus.com. If you would like to talk to a Rhombus Sales Representative please reach out to sales@rhombus.com.