Managing SAML Authentication
After you enable SCIM provisioning, you use the IdP to manage provisioned users and groups.
Testing the Draft Configuration
When SP-initiated logins are enabled, you can test that the draft SAML configuration is set up correctly with your identity provider (IdP). Test the draft configuration after modifying the configuration and before publishing it to production.
Resetting the Draft Configuration
To discard your edits to the draft configuration, you can reset the draft to override changes in the draft configuration with the published production configuration.
Publishing the Draft Configuration
After completing the draft configuration, you publish it to production.
The production configuration is read-only. To edit the SAML settings, you must edit the draft configuration and then publish that modified draft.
Rotating the Service Provider Certificate
StreamSets generates a unique service provider certificate for your organization. Each service provider certificate has an expiration date. You can create a new certificate and then rotate the certificate in your identity provider (IdP) when the expiration date approaches.
You can find the expiration date for your certificate in the List of SAML Certificates section, as follows:
Enabling the Production Configuration
After you publish a draft configuration to production, you enable the production configuration to activate it. When enabled, all organization users must log in using SAML authentication.
Disabling the Production Configuration
You can disable the production configuration to disable SAML authentication for your organization. When disabled, all organization users must log in using local or public identity provider authentication.
Logging In when SAML is Incorrectly Configured
If SAML authentication is enabled but the IdP or the SAML configuration in Control Hub is incorrectly configured, no organization users can log in to StreamSets using SAML authentication. In this case, a user with the Organization Administrator role can log in using local or public identity provider authentication to access the Control Hub organization SAML configuration page only.
Managing Provisioned Users and Groups
If SCIM provisioning is enabled for your organization, then you manage users and groups within your identity provider (IdP). All changes made in the IdP are automatically synchronized to StreamSets.
- Invite, activate, deactivate, or delete users.
- Create or delete groups.
- Update user or group details.
- Update your display name or leave the organization in your account settings.
Although the default all group is not provisioned from the IdP, you also cannot update the display name or update the users that belong to the all group.
You do use Control Hub to assign roles and permissions to provisioned users and groups.