Skip to main content
Skip table of contents

Allow Not-Registered Users to Access Veridium Self Service Portal (SSP) via External IdP Authentication

Summary

Many customers use external Identity Providers (IdPs) for authentication in Veridium Self Service Portal (SSP). Currently, SSP allows access only to users already registered in Veridium. This feature extends SSP to permit access for not-registered users, enabling them to initiate enrollment of Veridium credentials.
Example use case: users registered in Entra hybrid joined domains can authenticate with their Entra-side credentials in Veridium, without prior Veridium account enrolment.

Current process

  1. After validating the SAML token, SSP calls Websec to verify the user status based on the subject received in the SAML token.

  2. In the current version, if the user is not registered in Veridium, Websec returns "user not found," and access to SSP is denied.

Implementation Details

  • Introduce a new API in Websec to verify and create users when necessary.
    The endpoint is present at /enterprise/friend/GetOrCreateStaticProfile.

  • Ensure the API maintains existing group synchronization, permissions, and access rules.

  • Modify SSP authentication flow to use the new API instead of the current verification call.

  • Ensure existing workflows that rely on user verification remain unaffected.

  • Method should follows these steps:

    1. Check if the profile exists based on implicit UPN or external ID.

    2. Retrieve external identity details using an adaptor if the profile is not found.

    3. Create a new profile if external authentication creation is enabled and the user details are available.

    4. Validate account status, ensuring only active accounts can proceed.

    5. Return the profile if found or successfully created, otherwise deny access.

Expected Benefits

  • Seamless onboarding for new users via external IdP authentication.

  • Improved user experience by enabling credential enrollment within SSP.

  • Enhanced flexibility for customers managing access via external IdPs.

image-20250305-095107.png

Make sure the flag for creation profile is enabled in Settings / General / “Create profile When Authenticated Externally”

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close