Only available for AX Enterprise accounts.
Configuration
When creating or editing existing entries, you’ll use a form with two tabs: General Configuration and Role Mapping. For new entries, you will be guided through the configuration process.
General Configuration
1. Email Domains Field
Add as many email domains that share the same configuration. An email domain must be unique among all IdP entries in the system (except they can overlap and override existing file-based entries). Validation status:- SaaS (Arize employee): Email domains are considered validated
- SaaS (Customer admin): Email domains are unvalidated until an Arize employee edits the entry, unless the domain is also found in a file-based entry
- File-based entries: Overlapping domains are considered validated
Due to caching, changes to email domain information may take up to a minute to take effect.
2. Metadata
Enter either the Metadata URL (preferred) or Metadata XML data. The Metadata URL is an option to automatically fetch the Metadata XML from your IdP. Alternatively, you can provide the Metadata XML directly. This information is available in the SAML configuration settings of your IdP.Due to caching, changes to metadata information may take up to a minute to take effect.
3. User Settings
Due to caching, changes to user settings may take up to a minute to take effect.
Allow Only SAML Logins
If enabled, users can only log in via SAML. This prevents anyone from logging in with a username/password combination.Sync Permissions on Each Login
When enabled, the user’s permissions are synced on every SAML login.Timing considerations: After making changes to role mappings, a user’s next SAML login might take up to 24 hours to reflect the changes due to access and refresh tokens keeping their last login session alive. If you want changes to role mappings to take effect immediately, users may need to log out to force a SAML login.
Allow Login to Default Organization and Space
When enabled:- If a new user logs in via SAML and does not match any role mappings, they are added as members of the default organization and space with the roles listed in this section
- These values are also used if
Allow only SAML Loginsis enabled and there is no role mapping match
Role Mappings
Role mappings are optional but recommended for automated user provisioning and access control. During the SAML protocol exchange, your Identity Provider (IdP, e.g., Okta) can be configured to send assertions about the user. These assertions can be used to determine how a new user should be created or how an existing user should be updated (ifSync permissions on each login is enabled).
How Role Mappings Work
The assertion’s attributes (key/value pairs) can be matched against your role mappings to determine:- Account admin status: Whether the user should be an account administrator
- Organization and space placement: Which organization and optionally which spaces the user should be placed into
Allow login to default Organization and Space setting:
- If Enabled: Default organization and space are used
- If Disabled: Login will be rejected
If more than one attribute key/value pair is present in an individual role mapping, all those attributes must match the incoming assertion’s equivalent key/value settings
Caching
Database entries are cached in the backend application to reduce database calls. If no action has occurred on an entry recently, changes take effect immediately. The times below are the worst-case delays for changes to take effect:- Changing the metadata XML, metadata URL, or email domain fields: 1 minute
- Changing the role mappings or user settings: 1 minute