Just-In-Time SAML Provisioning

Topics included in this article:

• Just-In-Time Overview
  • Rhombus Console Setup
• IDP (Identity Provider) Setup
  • Example
• Team Name Requirements
• Helpful Links
• Contact Support or Sales

Just-In-Time Overview

Just-In-Time SAML (Security Assertion Markup Language) provisioning allows authorized SAML user accounts to be created dynamically in the Rhombus Console when a new SAML user tries to log in to the Rhombus web or mobile console for the first time.

Rhombus Console Setup

1. Navigate to "Settings," and select "Single Sign-On."

2. Under the "Single Sign-On" dropdown menu, toggle on "Just-In-Time User Creation," and click "Save."

IDP (Identity Provider) Setup

With Just-In-Time SAML, the IDP should be configured to send SAML role or group attributes as shown below. The values of the role/group attributes must match the security roles that have been created in Rhombus.

Note: User accounts created without any security roles will have no access to any cameras and resources in the Rhombus console. An admin will still need to manually assign a Rhombus security role to the new user. 

Example

Role: Super Admin Group

<AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

<Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Super Admin Group</AttributeValue>

<AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Internal Admin</AttributeValue>

</Attribute>

</AttributeStatement>

Figure 1.) Showcases the Role as it appears in the Rhombus Console. This Role name must match the exact values used for the identity provider. 

Team Name Requirements

Rhombus requires SAML users to set up a Team Name. We recommend configuring the Team Name to the customer's email address domain name.

• For example, if the company email is something like xzy@rhombussystems.com, then the Team Name is recommended to be configured as rhombussystems given that the Team Name is still available.

Note: If the Team Name does not match the domain name, the user will not be auto-recognized and instead will be required to use the SSO login option. 

Helpful Links

• SCIM Setup for SSO
• Rhombus & SSO - FAQ

Contact Support or Sales

Have more questions? Contact Rhombus Support at +1 (877) 746-6797 option 2 or support@rhombus.com.

Interested in learning more? Contact Rhombus Sales at +1 (877) 746-6797 option 1 or sales@rhombus.com.