Documentation

Single Sign-On Groups and Attributes

Table of Contents

Mapping SAML Attributes and Groups to QReserve

Overview

QReserve integrates with your organization's SAML Single Sign-On (SSO) identity provider (IdP) not just for authentication, but also to automatically manage user data and group memberships within QReserve. This feature allows you to map:

  1. SAML User Attributes: Data points released by your IdP during login (like department, employee ID, phone number) can be mapped directly to QReserve's Custom User Properties.
  2. SAML Group Memberships: If your IdP releases information about the groups a user belongs to, these SAML groups can be mapped to corresponding QReserve Groups.

This streamlines user management, ensures data consistency, and helps automate permission assignments based on your existing organizational structures.

Why Use SAML Attribute and Group Mapping?

  • Automated Data Population: Eliminate manual entry or updates for user details like department, office location, or role by pulling this information directly from your authoritative identity source upon login.
  • Simplified Permissions Management: Automatically assign users to relevant QReserve groups based on their membership in your organization's directory groups (e.g., map 'Faculty' SAML group to 'QReserve Faculty' group). This is useful for setting up resource access rules, loan limits, or permissions.
  • Improved Onboarding: New users logging in via SAML for the first time can have their profile information and group memberships configured automatically.
  • Data Consistency: Reduce errors and ensure the user information within QReserve aligns with your central identity management system.

How to Enable and Configure SAML Mapping

Setting up SAML attribute and group mapping involves coordination between your site administrator and QReserve Support.

Step 1: Request Feature Enablement

  • Contact QReserve Support to request that the "SAML Attribute and Group Mapping" feature be enabled for your organization's QReserve site.

Step 2: Identify Released SAML Information

  • Work with your IT department or SAML IdP administrator to determine:
    • Which specific user attributes (e.g., department, mail, employeeNumber, title) are being released to QReserve during the SAML authentication process. You will need the exact attribute names as defined in your IdP.
    • If group membership information is being released, determine the name of the SAML attribute that contains the group names (e.g., memberOf, groups) and the format/exact names of the groups being sent.

Step 3: Inform QReserve Support

  • Provide the list of exact SAML attribute names you want to map to QReserve Custom User Properties.
  • If mapping groups, provide the name of the SAML attribute containing group information and examples of the group names being sent.
  • QReserve Support will configure the backend to recognize these specific attributes and make them available for mapping in your site settings.

Step 4: Configure Mapping in QReserve

  • Once QReserve Support confirms the attributes/groups are available, a QReserve user with the Administrator role can proceed with the mapping.
  • Navigate to Site Settings within QReserve.
  • Go to the SSO tab.
  • You will find sections for mapping:
    • Attribute Mapping: Select an available SAML attribute (made available by QReserve Support based on your request) from a dropdown list and choose the corresponding QReserve Custom User Property you want it to populate.
      • Note: You must have already created the necessary Custom User Properties under Site Settings > Properties > Custom Site User Properties for them to appear as mapping targets.
    • Group Mapping: If enabled and configured by support, you will see a section to map SAML Group names (as sent by your IdP) to existing QReserve Groups. Enter the exact SAML group name and select the QReserve Group it should map to.
      • Note: You must have already created the necessary QReserve Groups under Administration > Users > User Groups.

Potential Limitations and Considerations

  • Dependency on IdP Configuration: The success of this feature relies entirely on your organization's SAML IdP correctly releasing the desired attributes and/or group memberships. QReserve can only map what it receives.
  • Mapping Occurs at Login: Attribute and group synchronization typically happens only when a user successfully authenticates via SAML. Changes made in your IdP (e.g., a user changing departments or groups) will usually only reflect in QReserve after the user's next SAML login.
  • Exact Naming is Crucial: SAML attribute and group names are often case-sensitive and must match precisely between your IdP's configuration, what you provide to QReserve Support, and what you enter in the mapping interface.
  • Pre-existing Users: Mappings primarily affect users upon their SAML login. It may not automatically update data for users who were created manually or haven't logged in via SAML since the mapping was configured or since their data changed in the IdP.
  • One-Way Sync: This is generally a one-way process where data flows from your IdP to QReserve. Changes made directly to a user's custom properties or group memberships within QReserve will not be synced back to your IdP.
  • Custom User Properties/Groups Must Exist: You need to create the target Custom User Properties and QReserve Groups within QReserve before you can map SAML attributes/groups to them.

Built-in SAML attributes

QReserve has a list of built in SAML attributes ready to use. Coordinate with your IT department to see if they provide these attributes in the SAML response.

Attribute Name Display Name
urn:oid:2.5.4.6 Country name
urn:oid:2.5.4.7 Locality Name
urn:oid:2.5.4.8 State or Province name
urn:oid:2.5.4.9 Street address
urn:oid:2.5.4.10 Organization name
urn:oid:2.5.4.11 Organization unit name
urn:oid:2.5.4.12 Title attribute type
urn:oid:2.5.4.13 Description attribute type
urn:oid:2.5.4.16 Postal address attribute type
urn:oid:2.5.4.17 Postal code attribute type
urn:oid:2.5.4.18 Post office box attribute type
urn:oid:2.5.4.19 Physical delivery office name attribute type
urn:oid:2.5.4.20 Telephone number attribute type
urn:oid:2.5.4.29 Presentation address attribute type
urn:oid:2.5.4.72 Role attribute type

Note: If you require an attribute not listed here, please contact QReserve Support to request a custom attribute for your site.

Need Assistance?

If you have questions about setting up or troubleshooting SAML attribute and group mapping, please contact QReserve Support.