Calem Blogs

Blogs of CalemEAM

How to Provision User in Calem by SAML SSO

In the coming release of release R20d in August 2020, a feature is available to provision users in Calem based on SAML SSO. The feature allows an organization to centralize user management in its ID Provider. Calem provisions an authenticated user in Calem, or update the user settings accordingly.

  1. A user accesses Calem
  2. The user is redirected to its ID provider for authentication via SAML
  3. Upon authentication the user record is created Calem if not found. Otherwise, it's updated.

The following SAML attributes from an authenticated user may be used to provision a user record in Calem.

Attribute Mandatory
Full Name (givenname and surname) 
​Y
​User Id​Y
​Email​Y
​Group Id - mapped to Profiles in Calem​Y
​Team Id​N

Plugins must be configured to enable user provisioning. A plugin includes business logic meeting the specific requirements of the integration for an organization.

  • They are developed and released by Calem based on customer requirements.
  • No plugin is configured out of the box.
  • A plugin needs to be configured to enable the integration. 
  • For instance, "itiga" is the plugin Id to be enabled.
    • The plugin is deployed to directory Calem_Home/server/modules/plugin/itiga/
    • The following configuration needs to be added to calem.custom.php to enable it.

$_CALEM_dist['saml_conf']['user_provision_plugin']='itiga'; 

 The user provisioning includes the following data integration points.

​1. Direct Mapping - a SAML attribute is mapped to a field in Calem
​2. Lookup Mapping - a SAML attribute is mapped to a lookup field in Calem
​3. Default fields values
​4. Custom Handling - the custom business logic provided by a plugin
​5. Additional configuration - additional configuration data may be supplied in other files for a plugin.
For instance, "itiga_conf.php" and "itiga_conf.custom.php", and "itiga_map.php" are included for "itiga" plugin.
Additional information can be found in the README.txt file for a plugin.

The following is the sample configuration for the data integration defined in calem.custom.php. 


$_CALEM_dist['saml_conf']['user_provision_map']=array(
  //Direct mapping to saml attr
  'direct'=>array(
	 'username'=>'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/objectidentifier',
	 'email'=>'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
  ),
  //Saml attr is a lookup value
  'lookup'=>array(
  ),
  //Default values to set
  'defaults'=>array(
	 'login_allowed'=>1,
	 'status_id'=>'us_active',
	 'site_id'=>'1000000'
  ),
  //custom logic, value is attr or null (indirect attributes)
  'custom'=>array(
	 'team_id'=>'TeamCompany',
	 'profle_id'=>'EAMGroupId',
	 'full_name'=>null
  )
); 
How to Manage Contractors by Teams in Calem
How to Fetch Data Efficiently via REST API

Related Posts