Skip to main content
ExLibris

Knowledge Assistant

BETA
 
  • Subscribe by RSS
  • Back
    Rosetta

     

    Ex Libris Knowledge Center
    1. Search site
      Go back to previous article
      1. Sign in
        • Sign in
        • Forgot password
    1. Home
    2. Rosetta
    3. Knowledge Articles
    4. Authenticating a group of SAML users

    Authenticating a group of SAML users

    1. Last updated
    2. Save as PDF
    3. Share
      1. Share
      2. Tweet
      3. Share
    1. Question
    2. Answer
    3. Additional Information
    4.  
    • Product: Rosetta
    • Product Version: 6.0

     

    Question

    How to authenticate SAML users who are not registered in Rosetta?

    Use case: I have a group of users in SAML IDP that I would like to assign access rights for delivery, but I would rather not create individual Rosetta user for each SAML user.

    Answer

    There are two ways to authenticate SAML users:

    1. For each SAML user create a matching Rosetta user

    2. Create a generic Rosetta user to authenticate a group of SAML users

     

    For applying option #2, follow these steps: 

    1.       Set up a SAML authentication Profile:

    Assuming there is an existing 'saml' profile, create a new 'SAML Group' authentication profile:

    a.       Go to Administration > Users: Authentication Profiles

    b.       Choose type SAML and click 'Add Authentication Profile'

    clipboard_ed7baaf9da101c9ebd4b261a94dad161e.png

    c.       Populate the relevant SAML idP (for more information, see pages 170-171 in the configuration guide)

    d.      One of the user-related details that are returned by the IDP should be used as a matching point in Rosetta.

    The IDP returns an assertion with two parts:

    – a subject part that includes a NameID (or NameIdentifier) element

    – an attribute part that includes a list of user-related attributes (title, cn, etc.)

    You need to decide which of the user-related details will be used as a match point.

    For example, the IDP can return the following assertion:

    <saml:Assertion>
    <saml:Subject>
    <saml:NameID SPNameQualifier="https://eu.alma.exlibrisgroup.com/mng/login"Format="urn:oasis:names:tc:SAML:2.0:nameidformat:uri">
    73b393827e543cc2d8abe6f0c3df889f835b7e43</saml:NameID>
    </saml:Subject>
    <saml:AttributeStatement>
    <saml:Attribute Name="title"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">Technical Support Team Leader</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="cn"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml:AttributeValue xsi:type="xs:string">Becky Orange </saml:AttributeValue>
    </saml:Attribute>
    </saml:AttributeStatement>
    </saml:Assertion>

    d1. Under 'User ID location' choose Attribute

    d2. Attribute Name is "title"

    clipboard_e7433f000c8b45e9de32af37b3c7b9737.png

    2.       Create the generic Rosetta user:

    a.       Mark the 'Shared' checkbox

    b.       Click 'Additional Identifiers' to open it

    c.       Choose the "SAML Group" Authentication profile and enter the attribute value.

    In our example, the title value that is shared among a group of SAML users is 'Technical Support Team Leader'.

    All SAML users with title='Technical Support Team Leader' will be authenticated in Rosetta as this generic user.

    d.       Under 'User Authentication' choose type 'Internal with External authentication'

    e.       Save

    clipboard_e0a7727b753b7a2b6b48aea7c1d872861.png

    3.       Update General Parameters:

    a.       Go to Administration > General: General Parameters

    b.       Select Module: Authentication

    c.       On 'default_authentication_mode' put the predefined Authentication Profile Name

    d.       Update

    clipboard_ea125a2f29d376a3a0035efc24d9494e4.png

    After changing the 'default_authentication_mode' parameter, the authentication will be with "SAML Group" profile.

    Back office users will need to change their login url in order to authenticate by 'saml' profile:

    https://<<hostname>>:<<port>>/mng?auth=saml

    4.       You can create access rights according to the new user created 

    clipboard_e1fd0728da79341132a7c19f96d708419.png

     

    Additional Information

    Rosetta Configuration Guide, Chapter 9: pages 170-171

    Authenticating Users with SAML

     

     

     

     

     


    • Article last edited: 17-JUL-2019
    View article in the Exlibris Knowledge Center
    1. Back to top
      • Attempts to ingest a *.zip file ends up in the Deposit errors TA Workbench [DEPOSIT_WORK_QUEUE]
      • Automatically Add Deposited Items to a Collection
    • Was this article helpful?

    Recommended articles

    1. Article type
      Topic
      Content Type
      Knowledge Article
      Language
      English
      Product
      Rosetta
    2. Tags
      This page has no tags.
    1. © Copyright 2025 Ex Libris Knowledge Center
    2. Powered by CXone Expert ®
    • Term of Use
    • Privacy Policy
    • Contact Us
    2025 Ex Libris. All rights reserved