7. SAML Authentication¶
License Required
This feature must be licensed to be used. Contact your Eventide Communications Dealer for assistance.
7.1. How It Works¶
When a user logs in to the NexLog DX-Series recorder, the SAML attribute mapped to recorder usernames is evaluated to see if that user already exists. Access to the recorder is controlled by groups and permissions set within the SAML Identity Provider.
Groups must be included in the assertion and the mapping of groups to permissions must be configured on the recorder.
If the user does not exist, the user is created and permissions are set based on the mapping of groups in the assertion to permissions.
If the user does exist, permissions are updated on each login.
7.2. Prerequisites & Considerations¶
A TLS certificate must be configured and enabled on the recorder and the FQDN, matching the certificate, must be known. For the purposed of this document the value, sp.nexlog.host, will be used throughout.
All users are created just-in-time. Users created before configuring SAML authentication where the username matches what is in the assertion will still be able to use local authentication.
The claim passed and mapped to the username on the recorder will extract the string before the @ (if included in the value, e.g.
user1@domain.com --> user1).Permissions should be mapped to groups and are reapplied at each login. Any changes made locally on the recorder will be overwritten.