SAML Setup
A SAML exchange involves a web browser accessing PlexTrac:
  • The service provider sends an authentication request to the identity provider using the web browser.
  • The identity provider may request the user to provide a user name or password or both.
  • Upon verifying the user’s identity, the identity provider sends back an authentication assertion, together with the user credentials, to the service provider.
  • On the basis of the message from the identity provider, the service provider either allows or disallows the user’s attempt to access its service.
Plextrac allows the use of any SAML Identity Provider for logging into the application. Multiple providers can be configured for each tenant and managed on a per user basis. For example, one user could log in with Google and another with Okta.
This method of authentication is only valid for the UI and not for authenticating with the PlexTrac API.

Requirements

SAML requires the following environment variables be set in the PlexTrac docker compose file:
  • PROVIDER_CODE_KEY - some secure signing key - set by default in latest version
  • CLIENT_DOMAIN_NAME - the domain name you are hosting on, ie. app.plextrac.com (don’t include http(s)
Users need an account with Plextrac before being authorized to use an alternative sign-on method. The users' email in Plextrac needs to be the same as the email the user will authenticate with through the third-party tool.

Configuring SAML

Step 1: Go to the Authentication Methods page under Security>Authentication of the Admin Dashboard.
Step 2: Click the SAML Providers tab.
Step 3: Click Create New SAML Provider.
Step 4: Enter the information obtained through provider setup. Click Create when finished.
Optional:
  • If using IDP initiated SSO, toggle on “Allow IDP Initiated SSO”
  • Input the “Identity Provider Origin URL”
  • Toggle on “JIT User Provisioning”
  • Select the desired “Default Role” for newly created users
If you do not want to use IDP Initiated SSO and have enabled JIT, disable JIT User Provisioning BEFORE disabling IDP Initiated SSO.
Click Next below to view the list of parser and API integrations and mappings.