How Using SAML SSO Impacts Your Expert Site

TLS/SSL requirement

SAML SSO requires HTTPS
If you are currently not using the transport layer security (TLS) protocol for your Expert site domain, please contact the Expert Support team for further details.

VPN/IP restrictions

SAML SSO sessions can occur behind existing VPN or IP-restrictions if enabled for your Expert site.

Group Management

Once SAML is enabled, group membership for SAML users can no longer be managed locally in Expert. 
For security purposes controls group profiles have to be managed in your SAML identity provider (IdP). If users are added to a group in Expert but are not added to the group in the SAML IdP, the IdP will strip the users from the group in Expert.

Username Management

Once SAML is enabled, users can no longer be renamed locally in Expert. 
If a username is changed locally in Expert, the SAML IDP will recreate a new user with the old name next time the user tries to log in. Note that while the username cannot be locally changed in Expert, the display name can.

If machine-generated usernames are synchronized, accessing user contribution or user history data in challenging if user display names are not synchronized. 
If you previously authenticated Expert users locally and now decide to enable SAML SSO, carefully choose your SAML IdP usernames. SAML 2.0 typically uses a persistent username format. If the persistent username is ported over as a non-human-readable string, we recommend synchronizing a user display name or the user’s email address.

Display Name Customization

You can design your own Expert display name from your SAML IdP values. 
Your SAML IdP stores a lot of information about your users (company name, first name, last name, phone number, etc.). Expert only uses three user values: A username, an email address, and a display name. While the username and email address are pulled into Expert as is, you can choose to populate the display name from a combination of IdP values defined by you.