Managing Users with SAML/SSO
Dropzone AI supports most SAML Identity Providers (IDPs). When using SAML your Identity Provider enforces both "authn" and "authz". An individual clicks a SAML login button, is authenticated against your IDP, and then your IDP sends them back to Dropzone along with cryptographically-signed information indicating who they are and what role they should have.
When using SAML, we suggest not simultaneously allowing logins via username/password or the Google/Microsoft federation buttons to assure user management and role management is consistent.
SAML Attributes
Your SAML provider must provide the following attributes:
Your IDP must send the user's email address as the "Name ID" field, in EMAIL format.
SAML Configuration
All SAML connections require that the IDP (your SAML provider) and the SP (the Dropzone environment) exchange some values to establish security.
These can be exchanged via your support representative.
SAML troubleshooting
Debugging SAML logins is tricky because so much of what happens is inside large XML encoded blobs in HTTP. We suggest using the SAML Chrome Panel to help debug.
Install the chrome extension
Open the chrome developer tools panel
Go to your tenant, e.g. https://mycompany.dropzone.app/
The "SAML" panel should open in the developer tools - click it
Click your SSO login button
Look in the SAML control panel to see what data your IDP is sending to Dropzone ** It must have your email address in the saml2:Subject section ** It must include all the attributes listed in the table above, first_name, dropzone_role, etc
Here we have a user Wendell Bagg with email address [email protected] logging in. He will receive the admin role on Dropzone AI. (You may need to click the images to see more details.)
You may find when working on SAML that it is easiest to start testing with hard-coded attributes on a user's profile before moving to group-based algorithms that select attributes.
SAML settings always override any locally applied settings in Team Admin. This means that if you are not properly sending dropzone_admin then when a user logs in with SSO it will remove their role, which is equivalent to being denied access.
We suggest testing SSO with just one user and making it work before encouraging others.
Getting Help
If you have any questions about which login options are right for you, engage your Dropzone AI support representative at [email protected]
Last updated
Was this helpful?