Hi,

Firstly I apologize if I’ve posted in the wrong section, I’m very new to the Microsoft forums/hubs? found navigating it very confusing for this particular subject anyway. Full disclosure, I’m not a specialist in the networking, server, authentication related fields, nor Active Directory/Azure for that matter.

I’m trying to identify a way to alleviate some process issues caused by SAML when authenticating users for key web-apps we use, two in particular, I’m not sure I’m at liberty to state what they are so I won’t for security reasons, but I can explain the current workflow.

System 1 Onboarding Workflow

1. In order to onboard a user for System1 you must…

Add them to the applicable AD groupSend an email to the user to request they loginOnce the user has logged in and provided they told us…We can assign permissions, reporting lines etc in System1

System 2 Onboarding Workflow

2. In order to onboard a user for System2 you must…

Add them to the applicable AD groupSend an email to the user to request they login Once the user has logged in and provided they told us…They would come back with an error message that means the admins of the system can now assign permissions/accessAdmins can then respond back to the user again to state they will now be able to login successfully

From my limited perspective and understanding, SAML waits for a user to attempt a login before anything happens, from an onboarding process perspective this is very time consuming and ineffective, especially considering the reliance on replies and huge number of onboarding requests we receive on a daily basis.

Thinking out loud to remove this problem, when a user is added to the AD group for that web-app, a process runs based on a detected change in users/groups and pushes that to the web-apps so no manual user login attempts are required, is it possible to do anything like this? or can you provide different solutions to this while still using SAML?

I should note that it is an absolute requirement users have access to these systems as soon as the day they join.

Fundamentally, the question I am asking is…

User registration in web-apps seems to require an SSO attempt by the user before that user appears in the web-apps user directory, is it possible to automate the web-app user registration so the manual user SSO attempt isn’t required?

​Hi, Firstly I apologize if I’ve posted in the wrong section, I’m very new to the Microsoft forums/hubs? found navigating it very confusing for this particular subject anyway. Full disclosure, I’m not a specialist in the networking, server, authentication related fields, nor Active Directory/Azure for that matter. I’m trying to identify a way to alleviate some process issues caused by SAML when authenticating users for key web-apps we use, two in particular, I’m not sure I’m at liberty to state what they are so I won’t for security reasons, but I can explain the current workflow. System 1 Onboarding Workflow1. In order to onboard a user for System1 you must…Add them to the applicable AD groupSend an email to the user to request they loginOnce the user has logged in and provided they told us…We can assign permissions, reporting lines etc in System1 System 2 Onboarding Workflow2. In order to onboard a user for System2 you must…Add them to the applicable AD groupSend an email to the user to request they login Once the user has logged in and provided they told us…They would come back with an error message that means the admins of the system can now assign permissions/accessAdmins can then respond back to the user again to state they will now be able to login successfullyFrom my limited perspective and understanding, SAML waits for a user to attempt a login before anything happens, from an onboarding process perspective this is very time consuming and ineffective, especially considering the reliance on replies and huge number of onboarding requests we receive on a daily basis. Thinking out loud to remove this problem, when a user is added to the AD group for that web-app, a process runs based on a detected change in users/groups and pushes that to the web-apps so no manual user login attempts are required, is it possible to do anything like this? or can you provide different solutions to this while still using SAML? I should note that it is an absolute requirement users have access to these systems as soon as the day they join. Fundamentally, the question I am asking is…User registration in web-apps seems to require an SSO attempt by the user before that user appears in the web-apps user directory, is it possible to automate the web-app user registration so the manual user SSO attempt isn’t required?  Read More

​