User login scenarios
- Applies to: All BOARD Cloud subscriptions associated with a Subscription Hub
WHAT: Login scenarios for users authenticated via external IDP
When a user logs into BOARD through an external identity provider (IDP), the following scenarios can occur:
- User authenticated with external IDP but not existing in BOARD (Direct approval enrollment only)
The user lands on the sign-in page of the Subscription Hub, enters the username used for authenticating with the external IDP, clicks on "NEXT", is redirected to the external IDP that authenticates the user. Once successfully authenticated, the user is redirected to BOARD where his/her new user account is created and saved: the user is now registered in the Subscription Hub.When the new account is created, the Subscription Hub imports all user information from the external IDP as per configuration in the Identity Provider Federation section and assigns the permissions configured in the Default authorizations page.
- User not authenticated with external IDP and not existing in BOARD (Direct approval enrollment only)
The user lands on the sign-in page of the Subscription Hub, enters the username used for authenticating with the external IDP, clicks on "NEXT" and is redirected to the the external IDP login page. He/she then enters his credentials and, once successfully authenticated, is redirected back to BOARD, where his/her new user account is created and saved: the user is now registered in the Subscription Hub.When the new account is created, the Subscription Hub imports all user information from the external IDP as per configuration in the Identity Provider Federation section and assigns the permissions configured in the Default authorizations page.
- User not authenticated with external IDP and existing in BOARD
The user lands on the sign-in page of the Subscription Hub, enters the username used for authenticating with the external IDP, clicks on "NEXT" and is redirected to the the external IDP login page. He/she then enters his credentials and, once successfully logged in, is redirected back to BOARD. - User authenticated with external IDP and existing in BOARD
The user lands on the sign-in page of the Subscription Hub, enters the username used for authenticating with the external IDP, clicks on "NEXT" and is redirected directly into BOARD.
Whenever an existing user logs into BOARD through an external IDP, the information in his/her User profile panel is overwritten with the most recent information imported from the external IDP as per configuration in the Identity Provider Federation section.
In all cases mentioned above, the ID token provided by the external IDP during user login must contain a specific assertion claim key: its value must match the accountname value stored in the User account within the Subscription Hub. This information is mandatory, case-sensitive and must be properly formatted: if those values don't match or are missing, users won't be able to access BOARD and no user account will be created at login, in case a direct approval enrollment process is active.
Required claims for SAML2-based IDPs are different from those required for OIDC-based IDPs.
For SAML2-based IDPs please ensure that the ID token generated during user login contains a valid value for either the "sub" claim or the "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" claim.
For OIDC-based IDPs please ensure that the ID token generated during user login contains a valid value for either the "sub" claim or the "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" claim. If the claims mentioned above are missing (null response) or return an empty or whitespace value, the Subscription Hub identity provider will look for valid data in the claim specified in the "nameClaimType" claim (default value: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name").