Hi,
We’re looking to setup both SAML and local AD authentication on the same DMS. The SAML authentication would be used for any external customers, while the local AD contains the internal people.
In order to avoid both authentication methods on the same DMA and cause confusion, we’re looking to use a specific DMA to be the point of contact for external people, and only connect that DMA with SAML authentication. Other DMAs in the DMS would not be configured with SAML authentication.
However, as the DMAs are into the same DMS, do we risk any conflicts if a SAML user with the same username would be added as would already exist on the local AD? What specific conditions should we watch out for?
Thx
Hi Leander,
It is possible to configure different authentication methods on different DMAs in the DMS. The entire DMS can be set up with regular AD authentication and one specific DMA which is accessible to external users can then be configured with SAML with automatic user creation. This will then create & sync the users which log in through SAML as local users on the DMS.
There is indeed a risk of conflict as you’ve mentioned. The usernames between the AD users and the SAML created users should not overlap to avoid syncing issues on the system.
When using SAML with automatic user creation, DataMiner relies on the username provided by the Identity Provider to which we redirect the SAML login. So overlap could potentially be avoided through its configuration.
With Kind Regards,
These would be seen as different usernames.
Something to be cautious of however is multiple users on Azure AD which share the same first name & last name. As there is a known issue in which they can not be properly imported on the DMA.
All users will indeed be synchronized throughout the DMS as part of the security.xml. As each DMA needs to check authorization rights by itself.
However the Azure AD SAML users can not be used to login on any DMA which does not have the SAML authentication.
The server which is configured to utilize SAML can be a part of the domain. The Azure AD or the automatic user creation should be configured in the DataMiner.xml however, as documented in the initial response.
Thanks for the reply, Simon. Just to make sure I have this right, if I would have a leander.druwel@skyline.be on Azure AD and domainnameleander account, these would be seen as different? Or is the username still a different field that can be configured?
Additionally, on the synchronization within the DMS, I assume all users will still be synchronized throughout the full DMS, however you simply won’t be able to login if the identify cannot be verified. For the DMA that would be connected to SAML, that server can still be into the domain? (Or would that cause issues as it could still verify the identity for both Azure and local AD)