When you use SAML SSO for user authentication only, IDMC verifies the user credentials each time a user attempts to sign in to IDMC. User authorization is managed within IDMC through the users' group and role assignments.
To use SAML SSO for authentication only, disable the Map SAML Groups and Roles option on the SAML Setup page. This option is disabled by default. When this option is disabled, you must configure a default user role for new users on this page. You can also configure a default user group.
When you use SAML for authentication only, users are managed in the following ways:
New users with auto-provisioning
When a new user signs on to IDMC for the first time and auto-provisioning is enabled, IDMC gets the user attributes such as first name, last name, and email address from the SAML token and stores them in the repository. It creates the user and assigns the user the default role and the default group, if it is configured.
If you want to refine the user's level of access to assets, update the user's group and role assignments on the user details page.
New users without auto-provisioning
If auto-provisioning is disabled, users are not automatically added to the organization when they attempt to sign on to Informatica Intelligent Cloud Services for the first time. You must create the user in Administrator.
Existing users
When an existing user signs on, IDMC authenticates the user but does not get the SAML roles, groups, or user attributes from the SAML token. If this information changes, you can update the user's groups and roles on the user details page.
You can also create a native user account with credentials in Administrator, and the user credentials are saved in the IDMC repository. If you do this, the user must log in to IDMC directly instead of using single sign-on.
If you delete a user from IDMC, the user is deleted from the IDMC repository but not from the identity provider.
For all SAML users, the information in the user profile is read-only except for the time zone. The password and security question do not appear in the user profile.
Switching from SAML authentication and authorization
If your organization uses SAML for authentication and authorization and you want to use SAML for authentication only, you can disable the Map SAML Groups and Roles option.
If you disable this option after it was previously enabled, the group and role mapping information on the SAML Setup page becomes read-only but is not deleted. All SAML groups become regular IDMC groups. You can edit the groups, delete them, and add and remove group members.
When you disable this option, users’ IDMC roles do not change, so scheduled jobs are unaffected.