Using SAML for Self-Registration

Administration Guide

By using SAML self-registration, you can use a SAML assertion to provision a new user in the Veracode Platform. SAML self-registration eliminates the need for advance provisioning of users. If SAML self-registration is available, you can sign into the Veracode Platform using SAML and have a login automatically created with default roles and privileges. You can choose to allow self-registered users to access the Veracode Platform immediately or require approval before they can access it.

SAML self-registration also allows updating existing user records with fresh information from your identity provider. In the event of a change of a user's first or last name, phone number, or email address, your identity provider automatically propagates these values to Veracode without requiring administrator intervention.

SAML self-registration takes advantage of the SAML specification support for optional attributes in the SAML XML document. Certain attributes are required to be able to use SAML self-registration. You can add other attributes to populate additional data for new or existing records.

Preparing to Use SAML Self-Registration

Before enabling SAML self-registration for your organization in Veracode, do the following:

  1. Enable SAML authentication.
  2. Configure your identity provider to add the required attributes to your assertion.
  3. Add any optional attributes to the assertion that your identity provider can add.

Required and Optional SAML Attributes

The following SAML attributes are recognized by Veracode as containing information for SAML self-registration. Three attributes (firstname, lastname, email) are required, and the others can be provided to pass additional information about the user to Veracode. Veracode requires that you either specify the default Veracode user role here in the SAML attributes, or you opt to use SAML assertion data, in which you must specify the Veracode user role.

Attribute Description
firstname First name of the user.
lastname Last name of the user.
email Email address of the user.
roles Comma-separated list of valid Veracode roles. If not provided here, you must specify the default user roles using SAML assertion data.
teams Comma-separated list of teams to which the newly registered users are assigned. If not provided here, you must specify the default teams using SAML assertion data.
teamsmanaged Comma-separated list of teams managed by the team administrator.
hasiprestriction Set to TRUE if the user is restricted to a certain IP range. Requires that you enter a value for ipaddresslist.
ipaddresslist The IP range to which the user is restricted for login.
track Name of the eLearning track to which the user is assigned.
curriculum Name of the eLearning curriculum to which the user is assigned. Must be a valid curriculum in the assigned track.
keepelearnactive Set to TRUE to automatically extend the user's eLearning seat when a subscription is renewed.
customone Custom Field One.
customtwo Custom Field Two.
customthree Custom Field Three.
customfour Custom Field Four.
customfive Custom Field Five.

Configuring SAML Self-Registration

To configure SAML self-registration:

  1. Click the Admin link in the header.
  2. Click the SAML tab.
  3. Ensure you have provided the settings for SAML single sign-on.
  4. Select Enable Self Registration.
  5. Choose how self-registered users are handled:
    Activation Required
    An administrator must approve the self-registered user before the user can log in. The user is notified when their registration is approved.
    No Activation Required
    When users self register, they are directly logged into the Veracode Platform.
  6. Choose how the Veracode Platform handles conflicts between data in the SAML assertion and data in the Veracode Platform:
    Use SAML Assertion Data
    The Veracode Platform is updated with whatever data is in the SAML assertion. This setting allows the identity provider to automatically update fields that may change, such as email address, phone number, or last name.
    Prefer Veracode User Data
    The Veracode Platform ignores any changes of data in the SAML assertion.
  7. Choose which default attributes to set on individual users. Veracode requires that you either specify the default Veracode user role in the SAML attributes or in the SAML assertion data. If no activation is required for all newly register users, set a default user role, otherwise the user cannot log in.
    Note: Some attributes may not be populated if they are not available. Additional SAML attributes include the user roles, which specify which scan types the user is allowed to perform.
  8. Click Save.

Activating Pending Users

If you opt to have self-registered users require activation, these users appear in the Users Waiting to be Activated list. The list is accessed either from the SAML tab or the Users tab by clicking View Users Waiting to be Activated. On that tab, you can check users to be activated and activate or deny them access.