Merge AD & ADFS User Accounts
With the growing demand for SAML based authentication, most of our existing customers have expressed their wish to migrate from AD-based user management to SAML-based user management. To support our existing customers, we have introduced this new feature. By configuring this, existing Prolaborate Active Directory users are converted as SAML users along with their configuration and access permissions. This process is done automatically when the user logs in using SSO after completing the necessary configurations. This change applies only to a user who uses the same email address before and after conversion, thus consuming a single license.
Existing Prolaborate teams that have configured user management via AD and are planning to migrate to ADFS can benefit from this new feature. During the migration process, administrators have the option to choose between synchronizing settings based on AD group settings or ADFS group settings. The permissions will be set accordingly based on the selected option.
- In Prolaborate V5, access to the application for AD groups works based on Just in Time (I.e., user cannot login to Prolaborate if he is removed from the group), while ADFS does not yet have this feature implemented.
- After configuring, the conversion from AD to ADFS SSO works, when the user logs in for the first time using SSO after upgrading to V5.
- This change applies only to a user who uses the same email address before and after conversion
- Before V5, users could have both AD and ADFS user accounts which consumes two licenses. In this case, post upgrade to V5, a query must be executed in the database to merge the existing AD and ADFS user accounts to a single user account, thus consuming a single license.
- Prolaborate Version should be v5 for this conversion to occur.
The document is for organizations who have been using Prolaborate with Active Directory configured and are planning to change to ADFS SSO. For new users who want to use SSO, they can skip this configuration.
How to Achieve it?
When configuring SAML SSO configuration in Prolaborate, choose Active Directory Federation Service (ADFS) under Identity Provider in Identity Provider (IDP) Configuration. Click here to know more on how to configure ADFS SSO with Prolaborate.
The next step is to determine which access permission needs to be applied for the user after conversion to ADFS from AD.
Admin can choose any of the following.
Option 1: Active Directory Federation Service Synchronize Settings
This option is enabled by default. The access permission applied for the user will be based on Active Directory after conversion. Admin can choose the required Active Directory Domain from which the access permission is to be applied for the user after conversion. The dropdown list displays the Active Directory’s configured in Prolaborate.
- AD groups access work based on Just in Time (I.e., user cannot login to Prolaborate if he is removed from the group)
Option 2: Access Control Profile
Disable the ADFS option to configure Access Control Profile and apply access permissions to the user based on this. Click here to know how to configure Access Control Profile.
Enable the SAML Group toggle to configure and apply SAML group-based access to the user after conversion.
- Post login, removing the user from SAML group will not remove the access for that user in Prolaborate.