You can use SAML self-registration to provision new users or update existing user records.
By using SAML self-registration, you can use a SAML assertion to provision a new user in the Veracode Platform. SAML self-registration eliminates the need for preliminary provisioning of users. If SAML self-registration is available, you can sign in to the Veracode Platform using SAML and have a login automatically created with default roles and privileges. You can choose to allow self-registered users to access the Veracode Platform immediately or require approval before they can access it.
SAML self-registration also allows you to update existing user records with fresh information from your identity provider. If there are changes to the first or last name of a user, phone number, or email address, your identity provider automatically propagates these values to Veracode without requiring administrator intervention.
SAML self-registration takes advantage of the SAML specification support for optional attributes in the SAML XML document. Veracode requires specific attributes for using SAML self-registration. You can add other attributes to populate additional data for new or existing records.
Preparing to Use SAML Self-Registration
Before enabling SAML self-registration for your organization in Veracode:
Required and Optional SAML Attributes
Veracode recognizes these SAML attributes as containing information for SAML self-registration. The attributes firstname, lastname, and email are required. You can provide the other attributes to supply additional information about the user to Veracode. Veracode requires that you either specify the default Veracode user role in the SAML attributes, or you choose to use SAML assertion data, in which you must specify the Veracode user role.
|firstname||First name of the user.|
|lastname||Last name of the user.|
|Email address of the user.|
|roles||Comma-separated list of valid Veracode roles. If not provided here, you must specify the default user roles using SAML assertion data.|
|teams||Comma-separated list of teams to which the newly registered users are assigned. If you do not provide this information using the teams attribute, you must specify the default teams using SAML assertion data.|
|teamsmanaged||Comma-separated list of teams managed by the team administrator.|
|hasiprestriction||Set to TRUE if the user is restricted to a certain IP range. Requires that you enter a value for ipaddresslist.|
|ipaddresslist||The IP range to which the user is restricted for login.|
|customone||Custom Field One.|
|customtwo||Custom Field Two.|
|customthree||Custom Field Three.|
|customfour||Custom Field Four.|
|customfive||Custom Field Five.|
Configuring SAML Self-Registration
To configure SAML self-registration:
- Click the Admin link in the header.
- Click the SAML tab.
- Ensure you have provided the settings for SAML single sign-on.
- Select Enable Self Registration.
- Choose how to manage self-registered users:
- Activation Required
- An administrator must approve the self-registered user before the user can
log in. The user is notified when their registration is approved.
Note: Veracode plans to deprecate the Activation Required option and recommends that you do not use this option.
- No Activation Required
- When users self-register, they are directly logged in to the Veracode Platform.
- Choose how the Veracode Platform handles conflicts between
data in the SAML assertion and data in the Veracode Platform:
- Use SAML Assertion Data
- The Veracode Platform is updated with whatever data is in the SAML assertion. This setting allows the identity provider to automatically update fields that may change, such as email address, phone number, or last name.
- Prefer Veracode User Data
- The Veracode Platform ignores any changes of data in the SAML assertion.
- Choose which default attributes to set on individual users. Veracode requires that you
either specify the default Veracode user role in the SAML attributes or the SAML
assertion data. If you do not require activation for all newly registered users, set a
default user role, otherwise the user cannot log in. Note: Some attributes may not be populated if they are not available. Additional SAML attributes include the user roles, which specify which scan types the user is allowed to perform.
- Click Save.
Activating Pending Users
If you choose to have self-registered users require activation, these users appear in the Users Waiting to be Activated list. You can access that list from the SAML tab by clicking View Users Waiting to be Activated. On that tab, you can select users to activate and allow or deny them access.