User Identities when using SAML2

One of the key concepts to understand when using SAML2 is “how does VQCM know who the user is”?

When a user authenticates, VQCM has absolutely no visibility on the process. All VQCM knows is that a user is authenticated and the identity of the user. VQCM knows nothing about the credentials presented; that’s all handled by the Identity Servers. We don’t even know if authentication fails; we only know about successful authentications. In the case authentication is successful, the result of the process includes the identity of the authenticated user. VQCM then uses that identity to do a lookup on the users imported from AD/LDAP; we’ll find a match and know the user and from that, details such as their Tenant and Space details.

When using SAML2, you therefore need to do the following (this is a generalized overview):

1. Provision your SAML2 Service Provider with users from your AD/LDAP source of truth.
2. Provision VQCM using the same AD/LDAP settings
3. Ensure that the Identity returned by successful SAML2 authentication matches the user identity (login name) configured in VQCM’s LDAP Config page. As an example, this would normally be either “sAMAccountName” or “uid” on an OpenLDAP system and result in values of (for example) “mike6666” being imported from AD/LDAP and returned from the SAML2 successful authentication.