When setting up claims rules in the relying party we had to identity the following rule:
Token-Groups - Unqualified Names => CentreReferences
To create a user in Surpass they must have at least one centre association. What the above rule means is that when a user tries to login to Surpass using the SSO login page for the first time, the Groups they are assigned to in Active Directory (such as Administrators, Domain Admins etc...) are passed as part of the SAML response as an attribute. If that Active Directory group exists in Surpass then that user will be associated to that centre, if a centre is not present this will fail. This is only the case the first time the user accesses the SSO login page when the user is being created, permissions are then managed manually within Surpass. So before a user can login using this method Active Directory will need to be setup with a group that matches a centre reference in Surpass. The users will then need to be assigned to that group in Active Directory.
For a user to be successfully registered in Surpass they will also need to have the relevant user details added in Active Directory, below we have mapped the Active Directory attributes to the Surpass attributes:
|User Name (Mandatory)||User Principal Name/User Logon Name|
|First Name (Mandatory)||First Name|
|Surname (Mandatory)||Last Name|
|Job Title||Job Title|
|Associated Centres (Centre Reference, Mandatory)||Member of|
Logging into Surpass using ADFS
When accessing this address for the first time a user is created in Surpass and is granted basic access at all of the centre/groups they have permission to, from then on all permissions are managed from within Surpass. Since this process only grants the user basic centre permissions a Site Administrator will have to login and grant the new user any relevant permissions.