User Account Provisioning via SSO Authentication

The provisioning of user accounts can be a challenge for large-scale organizations. While Bipsync's Client Admin application allows users and user groups to be managed by one or more designated administrators, this can be a tedious process.

For firms that use SSO to authenticate their users with Bipsync, an alternative to this manual provisioning process is automatic user provisioning. This process uses data embedded in the SAML response from the SSO system to:

• Identify the user
• Determine whether they already have a Bipsync user account
  • If they don't, one will be created for them
• Update their account details, their groups, and their permissions, according to the data in the SAML response.

Attribute and Group mapping

At present, Bipsync is able to map the following attributes from the SSO system to the user's Bipsync account:

• Name
• Email address
• Company name
• Job title

We are also able to map the groups that a user is a member of. So for example, if in the SSO system the user is a member of the "Compliance" group, this can be mapped to a corresponding "Compliance" group in Bipsync. The following document from Microsoft can guide you though how to configure Azure to pass your groups into a claim.

Role mapping

Roles are another possible mapping. Roles allow for the specification of permissions to be controlled. The roles that Bipsync is able to assign via user provisioning are:

• User
• Read-only
• Reporting
• Super Admin

The user role gives a user standard access to Bipsync. The others grant access to permissions as defined here: https://docs.bipsync.com/docs/bipsync-user-roles-and-permissions

So for example, if in the SSO system a user has been given the "Compliance" role – this could be mapped in Bipsync to the "Reporting" role, which would then give the user the ability to access the Compliance app once they've logged in to Bipsync.