Context
Workpath supports users to log in through SSO / SAML. If the user doesn't exist yet, a new user account is automatically created for them (just-in-time-provisioning), incl. all information from the SAML response. If the user existed before, the user properties are updated with the transmitted values from the SAML response.
With an additional SAML claim "viewer" you can define a user’s license type when their Workpath account is first created, or at any later point during the user’s lifecycle when they log in again. This lets you e.g. set up specific groups for regular users and viewers within your Identity Provider and grant the "viewer" or "regular" user license types to only members of that group.
Specification of the "viewer" SAML claim
Add a new claim "viewer" to your SAML configuration, which can take on any of these constants:
- true
- false
The behavior of this claim depends on the below scenarios:
|
"viewer" claim is present and true in the SAML response |
"viewer" claim is present and false in the SAML response |
|
|
First time a new user logs in |
New User is created, and assigned a Viewer license |
New user is created, and assigned a Regular User license |
|
Already existing user with Regular User license logs in |
User's license is downgraded to Viewer |
User's license stays as is, no modification |
|
Already existing user with Viewer license logs in |
User's license stays as is, with no modification |
User's license is upgraded to a regular license |
Instructions for Microsoft Entra ID (formerly Azure Active Directory)
There are different ways of configuring your identity provider to pass this claim. One way to achieve this is conditional claims in Microsoft Entra ID:
Steps to set up the Viewer Claim:
- Allow access to Workpath for all users in your organization
- Create an AD group "Workpath Regular Licenses" or similar
- Create a new claim with the name "viewer" and two conditions (order is important!):
- Add a new claim condition for the "All Users" group, and set the value to
- "false" if users should by default have a regular license
- "true" if users should by default only have a viewer license
- Add a second claim condition with the other value from the previous step, and select the specific groups that should get regular or viewer licenses assigned.
- Add a new claim condition for the "All Users" group, and set the value to
Screenshot of how it should look like:
In the screenshot above, users would get viewer licenses by default (hence the first claim is set to "true"), and then members of 5 specific groups get a regular user license.
Important: Please make sure that the value for the claim is exactly "false" and "true" and no extra single or double quotes are added. Otherwise the assignment of license to users will not happen correctly.