Use SAML Just-in-Time User Provisioning in a SAML SSO Environment

If you are using an isolated domain (see Default and Custom Domains) and have Single Sign-On (SSO) based on SAML (Security Assertion Markup Language, see SAML SSO with GoodData), you can use SAML Just-in-Time (JIT) provisioning.

With JIT, you do not have to create and configure users in advance. JIT creates users when they log in for the first time. When a user tries to log in to the GoodData platform with SSO, a GoodData account is automatically created for them and the user is granted access to the specified GoodData project. The user's details and the ID of the GoodData project to grant access to are provided as part of Identity Provider metadata.

Enable Just-in-Time User Provisioning

If you do not yet have SAML SSO implemented, set it up (see SAML SSO with GoodData). Then, do the following:

  1. Send a request to GoodData Support to allow JIT provisioning for your domain and SSO provider.
    If you have multiple SSO providers, you can have JIT provisioning enabled for some or all of them.
  2. When configuring an SSO environment on your side, configure your Identity Provider to sent SAML assertions with JIT attributes:
PropertySAML AttributeMandatory?TypeDefaultNote
JIT provisioning enablerjityesBooleanfalse

Set to true to enable JIT user provisioning.

If not explicitly set or set to false, JIT user provisioning is not enabled, and requests are handled as a standard SAML login.

clientidclient.idyesstringn/a

(Valid only if you use Life Cycle Management, see Managing Projects via Life Cycle Management) Use clientid and dataproductid together to identify the project where users should be provisioned.

dataproductiddataproduct.idyesstringn/a
projectidproject.idyesstringn/a

Use to identify the project where users should be provisioned.

This is an alternative option to using the combination of clientid and dataproductid. If both projectid and the combination of clientid and dataproductid are sent, the combination of clientid and dataproductid takes precedence over projectid.

firstnameuser.firstnameyesstringn/a
lastnameuser.lastnameyesstringn/a
roleproject.role.identifiernostringreadOnlyUserRoleFor more information, see User Roles.
companynameuser.companynamenostringn/a
countryuser.countrynostringn/a
emailuser.emailnostringuser login (as specified in the subject element)
ip_whitelistuser.ipwhitelistnoarray of stringsn/a
languageuser.languagenostringen-US
phonenumberuser.phonenumbernostringn/a
positionuser.positionnostringn/a
timezoneuser.timezonenostringn/a
usergroupsusergroupsnoarray of stringsn/a

RelayState

The RelayState parameter specifies the URI in GoodData where the user is redirected after a successful login.

The RelayState parameter is case-sensitive and must be sent in the body of a HTTP POST request. The value of the RelayState parameter must be an absolute URL.

For information about constructing URLs pointing to specific embedded dashboards using the project ID or a combination of the client ID and data product ID, see Embedding Code Formats.

SAML Response Assertion

GoodData processes the first valid Assertion element in the SAML response. An Assertion element is valid when it is signed and has valid subject, conditions and issuer child elements.

If signing assertions is disabled for the domain, the whole SAML response must be signed.

The AttributeStatement element that contains provisioning attributes must be included in the same Assertion element where the subject element is included.

Because the first valid Assertion element is retrieved and used, multiple Assertion elements are not supported.

Example: SAML Message

The following is an example of the SAML message with the mandatory SAML attributes provided and project.id used to identify the project where users should be provisioned:

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" Destination="https://secure.gooddata.com/gdc/account/samllogin" ID="RESPONSE_ID" IssueInstant="2018-11-01T12:24:36.280Z" Version="2.0">
   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">ISSUER_ID</saml2:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
         <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
         <ds:Reference URI="#RESPONSE_ID">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                  <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" />
               </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:DigestValue>DIGEST_VALUE</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>SIGNATURE_VALUE</ds:SignatureValue>
      <ds:KeyInfo>
         <ds:X509Data>
            <ds:X509Certificate>CERT_VALUE</ds:X509Certificate>
         </ds:X509Data>
      </ds:KeyInfo>
   </ds:Signature>
   <saml2p:Status>
      <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </saml2p:Status>
   <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="RESPONSE_ID" IssueInstant="2018-11-01T12:24:36.280Z" Version="2.0">
      <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">ISSUER_ID</saml2:Issuer>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#ASSERTION_ID">
               <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                     <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" />
                  </ds:Transform>
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
               <ds:DigestValue>ASSERTION_DIGEST_VALUE</ds:DigestValue>
            </ds:Reference>
         </ds:SignedInfo>
         <ds:SignatureValue>SIGNATURE_VALUE</ds:SignatureValue>
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509Certificate>CERT_VALUE</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </ds:Signature>
      <saml2:Subject>
         <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">GOODDATA_USER_LOGIN</saml2:NameID>
         <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData NotOnOrAfter="2018-11-01T12:29:36.280Z" Recipient="https://secure.gooddata.com/gdc/account/samllogin" />
         </saml2:SubjectConfirmation>
      </saml2:Subject>
      <saml2:Conditions NotBefore="2018-11-01T12:19:36.280Z" NotOnOrAfter="2018-11-01T12:29:36.280Z">
         <saml2:AudienceRestriction>
            <saml2:Audience>GoodData</saml2:Audience>
         </saml2:AudienceRestriction>
      </saml2:Conditions>
      <saml2:AuthnStatement AuthnInstant="2018-11-01T12:24:36.280Z" SessionIndex="ASSERTION_ID">
         <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
         </saml2:AuthnContext>
      </saml2:AuthnStatement>
      <saml2:AttributeStatement>
         <saml2:Attribute Name="jit" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">true</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute Name="project.id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">PROJECT_ID</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute Name="user.firstname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">FIRST_NAME</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute Name="user.lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">LAST_NAME</saml2:AttributeValue>
         </saml2:Attribute>
      </saml2:AttributeStatement>
   </saml2:Assertion>
</saml2p:Response>


The following is an example of the AttributeStatement element that uses the dataproduct.id and client.id SAML attributes to identify the project:

<saml2:AttributeStatement>
         <saml2:Attribute Name="jit" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">true</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute Name="dataproduct.id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">DATA_PRODUCT_ID</saml2:AttributeValue>
         </saml2:Attribute>
        <saml2:Attribute Name="client.id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">CLIENT_ID</saml2:AttributeValue>
         </saml2:Attribute>         
  <saml2:Attribute Name="user.firstname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">FIRST_NAME</saml2:AttributeValue>
         </saml2:Attribute>
         <saml2:Attribute Name="user.lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SECOND_NAME</saml2:AttributeValue>
         </saml2:Attribute>
</saml2:AttributeStatement>