The following procedure provides the steps required to configure a SAML/Account Management connector and provision basic user accounts to the SaaS application.
Before you begin provisioning users, ensure that your environment meets the requirements for provisioning to the desired SaaS applications and that you understand how provisioning works in SaaS Account Management.
IMPORTANT:If you already have a SAML application configured in your Access Manager environment that was created from a SAML connector and you want to take advantage of the additional account management benefits that SAM offers for the same SAML application, you must delete the existing application, then import the new SAML/Account Management connector and configure the application settings again.
To configure a new SAML/Account Management connector:
In the Access Manager administration console, access the Applications page and click the plus (+) sign next to the heading.
Click Add Application from Catalog.
On the Application Connector Catalog page, locate and select the SAML/Account Management connector that you want to configure. You can quickly locate Account Management connectors using the Account Management filter.
(Optional) Review the name and description of the application.
For information about using appmarks associated with applications, see the Access Manager documentation.
Review and configure the other sections, such as Application Connector Setup, Attributes, Access and Roles, and System Setup, for the SAML2 application. For more information, click the Help icon or refer to the Applications Configuration Guide on the Access Manager documentation website.
Click the arrow to expand the Account Management section, then select the Enable Account Management check box.
NOTE:Access Manager displays the Account Management section only after you have registered your SAM appliance. For more information, see Enabling Account Management.
Click Setup Instructions and follow the help for configuring the service account and completing other steps at the SaaS application site. The setup instructions open in a separate window so you can continue working.
Configure appropriate values for all required settings in the Account Management section. This information varies depending on the SaaS application type. You can click Validate Settings to verify that the values you have specified can be used successfully by SAM to authenticate to your SaaS account.
Under LDAP User Store Configuration, provide the required user store information:
Click the plus (+) icon and select the user store that you want SAM to use for provisioning users to the SaaS application.
Specify a polling interval to indicate how often you want SAM to check your LDAP user store for changes to user accounts.
Repeat this step if you want to add another user store.
Click the Configure Groups and Authorizations icon.
In the LDAP Groups and Authorizations window, select the LDAP user groups you want to provision, then click Save. The LDAP Groups and Authorizations window closes.
NOTE:For provisioning to occur, you must map at least one LDAP group. For authorizations to be assigned, you must map them to the LDAP groups you have selected. If you do not specifically map SaaS authorizations, SAM provisions users, but they get only basic accounts. For more information about assigning authorizations, see Mapping Authorizations for Provisioned Users.
On the Account Management page, click Save.
When you click Save, SaaS Account Management begins processing and provisioning to the SaaS applications the LDAP users who are members of the mapped groups and who have the required firstname, lastname, and email attributes. Depending on the number of users and groups in your user stores, this operation may take some time.