SSO SAML Behaviors and Troubleshooting

The fields referenced here are found below in the Manage User Information window in the Classic UI.

SSO Logging

Logs for SSO are found in <drive>:\Enterworks\logs\enable2020\enable-web-server-services\<date-time>-log-enable-web-server-service.log.

User's Group Order

When a user's user groups are added or removed, EnterWorks preserves the group order set in the Manage User Information window.

Just In Time (JIT) Provisioning (Automatic Provisioning)

When Just In Time (JIT) provisioning (also know as Automatic provisioning) is enabled, EnterWorks will request that the IDP authenticates users and manages their user group assignments.

The process of authorization is as follows:

  1. The IDP sends a SAML response to EnterWorks.
  2. EnterWorks checks to see if the user exists in the EnterWorks system.
    • If the username exists in EnterWorks, the login will be authorized and EnterWorks will update the list of the user's user groups to match the list of user groups in the IDP response.

    • If the username doesn't exist, EnterWorks will check the IDP's response to see if it contains one or more groups that exist in EnterWorks.

      • If the IDP's response does not contain one or more groups that exist in EnterWorks, the login will be unauthorized.

      • If one or more groups do exist, the login will be authorized and EnterWorks will update the list of the user's user groups to match the list of user groups in the IDP response.

When an existing EnterWorks user logs into EnterWorks, EnterWorks will verify with the IDP that the user exists in the IDP's directory and it will request a list of the groups the user belongs to. For each group on the returned list that exists in EnterWorks, if the user is not in the group, EnterWorks will add them. EnterWorks will then remove the user from any EnterWorks groups that are not on the list returned from the IDP.

For a user to be authenticated, the user must belong to at least one group in the IDP and that group has to exist in EnterWorks. If the group does not exist in EnterWorks, the user will not be authenticated.

Open the Manage User Information Window

To open the Manage User Information window:

  1. Log into the Classic UI.
  2. Open the Feature bar, open the Users and Groups tab, and click Users to open the Users tab.
  3. Double-click a user's Login to open the user's record for editing. The Manage User Information window will open.