Below you will find answers to some common questions he have experienced since the SAML Implementation.
1. What is the difference between LDAP (Active Directory) and SAML?
a. The SAML Azure integration is the recommended SSO option for Microsoft users. With LDAP, you must open a firewall and keep that firewall open to our IP address in order to sync user information on a nightly basis. This is not needed with our SAML integration.
b. With LDAP you must sync all staff members up front and have accounts created for each, even though some may not utilize the program. This has the potential to create bloat within both the User sections within ML Work Orders With SAML, user accounts will only be created once the staff member attempts to log in to ML Work Orderss for the first time.
c. With Active Directory, users still need to log in with an AD username and their AD password on the login page. With SAML they can simply select the "Log In with Microsoft" button on the login page, they do not need to enter any credentials. With SAML they are also able to login through the Microsoft "My Apps" Portal. You can have an ML Work Orders app icon show within Microsoft and once that is selected, it will bypass the login page and log the user into ML Work Orders.
2. Do I need to implement both LDAP and SAML for my organization? I currently have LDAP setup and want to implement SAML instead.
Active Directory is not needed if you would like to utilize SAML. User requests, profiles, etc. will not be impacted by implementing any SSO changes. If you have the existing LDAP integration configured then you have 3 options,
a. Delete the LDAP settings once SAML is configured
If you completely delete the AD setup then users will no longer be able to use their AD username and password on the login page to access ML Work Orders. Instead they would be forced to select the "Log in with Microsoft" button on the login page. They would also be able to access ML Work Orders through the Microsoft "My Apps" Portal.
b. Implement both LDAP and SAML
If you keep the AD setup then users can log in by either entering their AD credentials or utilizing the button.
c. Turn off the LDAP sync and configure SAML
If you decide to turn off the LDAP sync so that you can close your inbound connection to your firewall, any existing users can still log in using either their AD credentials or by utilizing the Microsoft login button. Any new users added to AD from that point forward would not be able to use their AD credentials on the homepage and must utilize the Microsoft button on the login page or log in via the Microsoft My Apps portal.
3. What is the difference between the existing Google SSO integration I have configured and the SAML Google SSO integration?
a. With the existing Google SSO (OAuth 2.0) you must sync all staff members up front and have accounts created for each, even though some may not utilize the program. This has the potential to create bloat within both the Users sections within ML Work Orders. With SAML, user accounts will only be created once the staff member attempts to log in to ML Work Orders for the first time.
b. The Google SSO integration you have set up right now is using OAuth 2.0 (a different authentication method). With this new SAML option (IdP Authenticated), your staff members would also be able to access our systems through the Google Apps portal.
2. Do I need to implement both LDAP and SAML for my organization? I currently have LDAP setup and want to implement SAML instead.
Active Directory is not needed if you would like to utilize SAML. User requests, profiles, etc. will not be impacted by implementing any SSO changes. If you have the existing LDAP integration configured then you have 3 options,
a. Delete the LDAP settings once SAML is configured
If you completely delete the AD setup then users will no longer be able to use their AD username and password on the login page to access ML Work Orders. Instead they would be forced to select the "Log in with Microsoft" button on the login page. They would also be able to access ML Work Orders through the Microsoft "My Apps" Portal.
b. Implement both LDAP and SAML
If you keep the AD setup then users can log in by either entering their AD credentials or utilizing the button.
c. Turn off the LDAP sync and configure SAML
If you decide to turn off the LDAP sync so that you can close your inbound connection to your firewall, any existing users can still log in using either their AD credentials or by utilizing the Microsoft login button. Any new users added to AD from that point forward would not be able to use their AD credentials on the homepage and must utilize the Microsoft button on the login page or log in via the Microsoft My Apps portal.
3. What is the difference between the existing Google SSO integration I have configured and the SAML Google SSO integration?
a. With the existing Google SSO (OAuth 2.0) you must sync all staff members up front and have accounts created for each, even though some may not utilize the program. This has the potential to create bloat within both the Users sections within ML Work Orders. With SAML, user accounts will only be created once the staff member attempts to log in to ML Work Orders for the first time.
b. The Google SSO integration you have set up right now is using OAuth 2.0 (a different authentication method). With this new SAML option (IdP Authenticated), your staff members would also be able to access our systems through the Google Apps portal.
Comments
0 comments
Please sign in to leave a comment.