When you use SAML SSO for user authentication only, Informatica Intelligent Cloud Services verifies the user credentials each time a user attempts to sign in to Informatica Intelligent Cloud Services. User authorization is managed within Informatica Intelligent Cloud Services through the users' group and role assignments.
To use SAML SSO for authentication only, disable the Map SAML Groups and Roles option on the SAML Setup page. This option is disabled by default. When this option is disabled, you must configure a default user role for new users on this page. You can also configure a default user group.
When you use SAML for authentication only, users are managed in the following ways:
New users with auto-provisioning
When a new user signs on to Informatica Intelligent Cloud Services for the first time and auto-provisioning is enabled, Informatica Intelligent Cloud Services gets the user attributes such as first name, last name, and email address from the SAML token and stores them in the repository. It creates the user and assigns the user the default role and the default group, if it is configured.
If you want to refine the user's level of access to assets, update the user's group and role assignments on the user details page.
New users without auto-provisioning
If auto-provisioning is disabled, users are not automatically added to the organization when they attempt to sign on to Informatica Intelligent Cloud Services for the first time. You must create the user in Administrator.
Existing users
When an existing user signs on, Informatica Intelligent Cloud Services authenticates the user but does not get the SAML roles, groups, or user attributes from the SAML token. If this information changes, you can update the user's groups and roles on the user details page.
You can also create a native user account with credentials in Administrator, and the user credentials are saved in the Informatica Intelligent Cloud Services repository. If you do this, the user must log in to Informatica Intelligent Cloud Services directly instead of using single sign-on.
If you delete a user from Informatica Intelligent Cloud Services, the user is deleted from the Informatica Intelligent Cloud Services repository but not from the identity provider.
For all SAML users, the information in the user profile is read-only except for the time zone. The password and security question do not appear in the user profile.
Switching from SAML authentication and authorization
If your organization uses SAML for authentication and authorization and you want to use SAML for authentication only, you can disable the Map SAML Groups and Roles option.
If you disable this option after it was previously enabled, the group and role mapping information on the SAML Setup page becomes read-only but is not deleted. All SAML groups become regular Informatica Intelligent Cloud Services groups. You can edit the groups, delete them, and add and remove group members.
When you disable this option, users’ Informatica Intelligent Cloud Services roles do not change, so scheduled jobs are unaffected.