Testing SAML Login Attributes

This guide is intended to help administrators through the process of testing SAML login attributes.

While testing the SAML login attributes is not required, it can be useful when mapping roles for user access.  Before running a test, you should be sure that the SSO configuration is as complete as possible, both at your SSO provider and your Cloud Streaming portal.

Please be aware that clicking the "Test" button will automatically log you out of your administrator account.  You will then be prompted to log into the Cloud Streaming portal via your single sign on (SSO) service.  You can sign in with your own credentials, or, if one of your users is having difficulty, you can coordinate with the affected user to test their SAML attributes.  Once you authenticate, there are four possible outcomes:

1. Your SSO provider may present an error.
In this scenario, the test has failed.  There will be no SAML attributes to view.  There is likely an error in the SAML configuration for your SSO provider (Google, Microsoft Azure, ADFS, etc.).  Check the configuration documents for your particular SSO service.

2. The Cloud Streaming portal may present a security error.
In this scenario, the test has failed.  There will be no SAML attributes to view.  It may be necessary to adjust one or more of the SAML SSO security options within your Cloud Streaming portal.

3. The Cloud Streaming portal may present an access error.
In this scenario, the test has succeeded.  SAML attributes should now be available to view under the test results.  You must manually return to the SAML External configuration page for your CS portal and check the "Test Login Attributes" tab.  This will likely require you to log out of the account that you used when testing your SSO credentials.  You will then have to log back into the CS portal using your administrator account.

4. You may successfully log into the Cloud Streaming portal.
In this scenario, the test has succeeded.  SAML attributes should now be available to view under the test results.  You must manually return to the SAML External configuration page for your CS portal and check the "Test Login Attributes" tab.  This will likely require you to log out of the account that you used when testing your SSO credentials.  You will then have to log back into the CS portal using your administrator account.

Using test results to create Roles:

Once you return to the Test Login Attributes area, you should see test results that might resemble the following screen shot:

The information in the Attribute Name column (A1, A2) and Value column (V1, V2) of your test results can be used to create role mappings.  Role mappings are intended to grant groups of users the appropriate level of access to the Cloud Streaming portal.  Using the information seen in the screen shot above, here is an example set of roles:

In the above example role mappings, anyone logging in using an email address (A1) ending in "@schoolname.org" will have Basic level access to the Cloud Streaming portal.  This value represents a partial match of the V1 value shown in the test results screen shot above.  In this case, the partial match is used in order to grant access to a larger group of users as opposed to the single user identified in the test results.

Anyone logging in with a groups attribute (A2) and a value of that attribute that identifies the user as a member of a group called "schoolname.org\Curriculum" (V2) would then have Instructor level access to the Cloud Streaming portal.  This value represents an exact match of the V2 test result.  In the above example, the customer has also chosen to create a secondary Instructor role.  This role once again uses the groups attribute (A2).  In this example, the customer is using a value of "schoolname.org\Teachers" (V3) which was not part of the initial test results.  So long as one knows the range of values that might be returned with an attribute, it is possible to create Roles using those values without having to run multiple tests.

NOTE: If a user should meet the conditions for more than one role, they will be granted the highest level of access available to them.