Managing Users under Federated Authentication
  • 28 Feb 2020
  • 11 Minutes To Read
  • Print
  • Share
  • Dark
    Light

Managing Users under Federated Authentication

  • Print
  • Share
  • Dark
    Light

User Role Mapping

As a next step towards providing full support for Mambu-SSO integrations through SAML, we have implemented a mapping system so that Mambu Roles can be assigned to users directly from their identity provider (IdP) of choice.

In order to be able to assign Roles when creating a user directly from your IdP, you'll need to:

  1. Make sure the user is assigned to the SAML 2.0 App

  2. Create the Roles you need for your organization in Mambu.

  3. Create the same Roles in the IdP (these might go by different names depending on the service you are using, eg. Groups in Okta or appRoles in Azure AD), make sure you use the exact same Role Name.

  4. The roles should be sent to Mambu using a SAML attribute called RoleID, check your IdP documentation for information on how to set this up.

  5. Assign the user to the respective Group/Role in the IdP

At the first login after provisioning, we will receive the user data together with the RoleID attribtue containing roles assigned in the IdP. This way, Mambu will map the exact same Role to the user, who will be fully provisioned with the implied permissions for the assigned role.

We check the RoleID attribute at each login so in the case that any changes to a user's role are made in the IdP, these will be reflected in Mambu as well.

RoleID Update
Please mind that with the release of IDs for Roles in Mambu, the value of the RoleID attribute should still be the Role Name from Mambu and not the ID.

Use Cases

1. Create new SSO user from IdP and assign user Role from IdP
When provisioning a new user through your IdP of choice, to assign a role from the get-go, please make sure you have the Role correctly created in both Mambu and the IdP.
After provisioning the user with a login, just assign the respective Group/Role in the IdP and at first login, the user will receive the Role in Mambu as well.

2. Create new SSO user in IdP that is assigned no role in IdP. Assign Role/permissions from Mambu

If you wish to provision users with Roles directly from Mambu only, without creating a Group/Role in the IdP, you still have the possibility to do so ( until the transition is confirmed by all our tenants).

Please Note
If you remove the IdP Role from a user, meaning that when they log in to Mambu there will be an empty RoleID attribute, they will still retain the initially mapped permissions in Mambu. For this reason, we recommend you create a Group/Role in the IdP that is mapped to a No permission Role in Mambu and assign users this role in the IdP instead of removing all roles. Alternatively, you can manually remove the Role from Mambu if you wish to fully remove the permissions of a User that had a Role assigned from the IdP.
We would highly appreciate your feedback at support@mambu.com on how to make Role Management easier in light of how your particular IdP of choice works with Mambu.

3. Adding a role through IdP to an SSO user who has a Role assigned in Mambu as well.
If you already had Roles assigned to your users prior to the V9 release, you can still transition to Role mapping from your IdP directly. Just create the same Groups/Roles in your IdP and assign the users to their respective Groups/Roles.

When they first log in, we will overwrite their initially provisioned Mambu Role with the one you have setup through the IdP.


Creating API Users once Federated Authentication is enabled

When you enable Federated Authentication, creating users from the UI is fully restricted, since users should only be managed via the SSO of choice. However, as Mambu API users can still only access Mambu via a username and password, Federated Authentication, which employs authentication tokens, will not work.

In order to create new users where the only assigned role is API Access, you can use the POST Users endpoint of our API.


User Management Use Cases

1. How to give Mambu Permissions to a new user that was only provisioned via the IdP (and does not have a Mambu password)

Given: Username userOKTA@mail.com exists in IdP and is assigned to the Mambu SAML APP. A corresponding username does not exist in Mambu.

  • On first successful login a new user will be provisioned in Mambu.
  • A welcome page will be displayed for this user (they will have no access to Mambu platform yet - the newly provisioned user has a username saved in Mambu, with no roles or permissions granted).

d3d38d88-d87c-46e4-816e-16c68b333c76.png

  • An administrator will have to have to give this user the necessary access rights and permissions from the Edit User section.

  • The Reset Password button and Set password fields are not displayed for these users as their passwords are managed by the IdP. The Federated Authentication and Mambu Login checkboxes are displayed and disabled, but only the Federated Authentication option is checked as this user was provisioned only via IdP.

ed595c79-3cfe-4aff-9e09-4b31a605c7be.png

  • Once an administrator assigns Roles and Permissions to this user, he can start a new Mambu session (only via login with IdP link on login screen) and use Mambu according to the rights assigned to his username.

If the email provided via IdP already exists in Mambu, the following message is displayed at first login.

duplicate email address error message

2. New Federated User logs into Mambu for the first time (provisioning) - Admin/API user

Given: Username userOKTA@mail.com exists in IdP, has a password and is assigned to the Mambu SAML App. A corresponding user does NOT exist in Mambu.

  • On first successful login a new user will be provisioned in Mambu with no roles or permissions granted .
  • The welcome page will be displayed for this user and they will have no access to Mambu platform yet.
  • An Administrator will have to have to give this user the API / Admin access rights and some permissions from the Edit User section.
  • Set password fields (Password and Confirm Password) are displayed for these users as their password is managed by the IdP and Mambu.
  • Federated Authentication and Mambu Login options are displayed, both checked and not editable.
  • After that, the user can start a Mambu session using the IdP link on the login screen or their Mambu credentials.

8216155f-3435-4e9a-829a-3ff16a93533f.png

Please Be Aware
Login via API using federated credentials is not supported. Only Mambu credentials can be used.

3. Mambu user logs in with Federated Authentication for the first time (provisioning)

Given: Username userOKTA@mail.com exists in Mambu (having access rights for Mambu and right permissions). A corresponding user exists also in the IdP, has a password, and is assigned to the Mambu SAML App.

  • During the login process, the IdP must send the username userOKTA@mail.com as the nameId attribute.
  • This will be the persistent identifier in SAML language.
  • If the federated authentication is successful, Mambu will start a session (inside the banking platform) for this existing user.
  • The user will continue to have the same role and permissions assigned as they did previously and their password will no longer be maintained by Mambu.
Please Note:
If the user has Admin/API rights, then they should be able to login into the application using either IdP or Mambu credentials, otherwise login using Mambu credentials is not allowed.

4. Former Mambu non-admin user, now FA user tries to login with former Mambu credentials

Given:Username userOKTA@mail.com exists in Mambu (having access rights for Mambu and a permission set which does not include Admin/API rights). A corresponding user exists also in the IdP, has a password, and is assigned to the Mambu SAML App.

  • During the login process, the IdP must send the username userOKTA@mail.com as the nameId attribute.
  • This will be the persistent identifier in SAML language
  • The regular user tries to use Mambu credentials while Federated Authentication is enabled - an error message will be displayed.

b9699ffc-1c5d-4bb5-8a2e-b9a27abef52e.png

Please Note:
The Support user will be able to login using Mambu credentials regardless of whether Federated Authentication is activated or not.

5. Users cannot be created via UI or API (v1.0) public calls

Given: A user with API rights tries to use Mambu credentials while the Federated Authentication is enabled to create a new user by using the public call:
POST: https://[tenantID].[environment].mambucloud.com/api/users

Response:
{"returnCode": 3500, "returnStatus": "CANNOT_CREATE_NEW_USER_IN_FEDERATED_CONTEXT"}

  • A user with Mambu rights and permission to create a new users tries to create a new user using UI - Mambu application
  • Option Users is not available in Create menu
  • Button Create new user is not displayed under Access > Users
  • Old link of create users is not available anymore: #createuser
Please Note
If the user is not an Admin and doesn't have the Create User permission the error message regarding the missing permission (Access Denied. Missing Permission(s): CREATE_USER) is displayed first. Once permission is granted the user will be shown the error message CANNOT_CREATE_NEW_USER_IN_FEDERATED_CONTEXT.

6. Admin tries to disable the Single Sign On for the organization

Given: An Administrator user tries to disable Federated Authentication from the UI by unchecking the option Federated Authentication (SSO) and clicking Save Changes.

ec7cae6a-7ffc-4c83-b484-290ae50d6a31.png

Please Note
Once SSO has been enabled for an organisation this action cannot be reversed, not even by an Administrator.

7. User logs out and re-logins without Single Log Out enabled using FA credentials

Given: Username userOKTA@mail.com exists in Mambu (having access rights and permissions for Mambu but without Admin or API rights). A corresponding user exists also in the IdP, has a password, and is assigned to the Mambu SAML App. Single Logout feature is not enabled.

  • Login into Mambu application using FA credentials
  • Logout from the Mambu application
  • From the login form, click again on IdP login link  - user is directly redirected to the dashboard (the previous session is kept active).

8. Single Logout for a user that has only SSO

Given: Username userOKTA@mail.com exists in Mambu (having access rights for Mambu and valid permissions - without Admin/API rights). A corresponding user also exists in the IdP, has a password and is assigned to the Mambu SAML App.

  • During the login process, the IdP must send the username userOKTA@mail.com as the nameId attribute.
  • This will be the persistent identifier in SAML language
  • The user logs in to Mambu using FA credentials
  • When user logs out, the SSO session is invalidated (provided by the session index) and the local Mambu session ends
  • At next login, the user needs to reenter their credentials
Please Note:
All the applications within the session index will get a logout request (if they support it).

9. Single Logout for a user that is logged in with Mambu Credentials (Admin or API rights)

Given: Username userOKTA@mail.com exists in Mambu (having access rights for Mambu and valid permissions - without Admin/API rights). A corresponding user also exists in the IdP, has a password and is assigned to the Mambu SAML App.

  • During the login process, the IdP must send the username userOKTA@mail.com as the nameId attribute.
  • This will be the persistent identifier in SAML language.
  • The user logs in to Mambu using FA credentials
  • The user logs out, their Mambu session for Mambu credentials is invalidated
  • The user accesses Mambu again, the login screen is displayed again and the user has the ability to login with SSO or Mambu
Please Note:
If the user has never logged into Mambu with SSO, then the SSO will require them to enter their SSO credentials before redirecting to Mambu. The option to automatically log back in to apps, eg. keep me logged in for 30 days, is set at the SSO provider level.
Please Be Aware:
When a user logs in with FA in another tab, only the latest login session will be kept active and the previous one will be invalidated.

To disable single logout for an organization go to: Administration -> Access -> Federated Authentication, uncheck the Enable Single Logout option and click Save Changes.

60ee11c8-040b-416a-a928-955423bf1773.png

Please Note:
After SLO has been disabled, the system will revert to built-in session management.

10. Admin sets the SSO session expiration time smaller than the Mambu session timeout
Given: Username userOKTA@mail.com exists in Mambu (having access rights for Mambu and valid permissions - without Admin/API rights). A corresponding user also exists in the IdP, has a password and is assigned to the Mambu SAML App. In IdP a timeout session is also created - 5min by an Admin user

  • During the login process, the IdP must send the username userOKTA@mail.com as the nameId attribute.
  1. This will be the persistent identifier in SAML language.
  2. The user logs in to Mambu
  3. The user sets the value for Timeout Session to 3 min from Access -> Preferences
  4. Users logged in with SSO will have their session expired after 3 min of inactivity.
Please Note:
IdP session will independently recheck credentials every 5m. The session timeout values for Mambu and your IdP are independent from one another.

11. How does the Critical Action Re-authentication function in an SSO-enable instance?

Critical Action Re-authentication is mapped to function for users with Administrator permissions and with Mambu Credentials only.

Therefore, if this option is enabled, when the pop-is triggered, you must use your Mambu password, regardless of whether you logged in via SSO or Mambu credentials. To read more on Critical Action Re-authentication, please see Access Preferences.

Was This Article Helpful?