Using SAML for JIT provisioning
You can use Just-In-Time (JIT) provisioning to provision new users or update existing user records.
By using JIT provisioning, you can use a SAML assertion to provision a new user in the Veracode Platform. JIT provisioning allows you to create Veracode users automatically the first time they attempt to access the Veracode Platform. If JIT provisioning is available, you can sign in to the Veracode Platform using SAML and have a login automatically created with default roles and privileges.
JIT provisioning also allows you to update existing user records with fresh information from your identity provider. If there are changes to the first or last name of a user, phone number, or email address, your identity provider automatically propagates these values to Veracode without requiring administrator intervention.
JIT provisioning takes advantage of the SAML specification support for optional attributes in the SAML XML document. Veracode requires specific attributes for using JIT provisioning. You can add other attributes to populate additional data for new or existing records.
Required and optional SAML attributes
Veracode recognizes these SAML attributes as containing information for SAML self-registration. You provide these attributes to supply additional information about the user to Veracode. Veracode requires that you either specify the default Veracode user role in the SAML attributes, or you choose to use SAML assertion data, in which you must specify the Veracode user role.
| Attribute | Description |
|---|---|
firstname Required | First name of the user. |
lastname Required | Last name of the user. |
email Required | Email address of the user. |
subjectConfirmationRecipient Required | The target URL. |
roles | Comma-separated list of valid Veracode roles. If not provided here, you must specify the default user roles using SAML assertion data. |
teams | Comma-separated list of teams to which the newly registered users are assigned. If you do not provide this information using the teams attribute, you must specify the default teams using SAML assertion data. |
teamsmanaged | Comma-separated list of teams managed by the team administrator. |
hasiprestriction | Set to TRUE if the user is restricted to a certain IP range. Requires that you enter a value for ipaddresslist. |
ipaddresslist | The IP range to which the user is restricted for login. |
customone | Custom field one. |
customtwo | Custom field two. |
customthree | Custom field three. |
customfour | Custom field four. |
customfive | Custom field five. |
SAML format settings
Veracode accepts SAML assertions in two formats: multi-valued attributes and comma-separated values (CSV).
Multi-valued attribute example:
<saml2:Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Submitter</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Reviewer</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Security Lead</saml2:AttributeValue>
</saml2:Attribute>
CSV example:
<saml2:Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">Submitter,Reviewer,Security Lead</saml2:AttributeValue>
</saml2:Attribute>
The SAML Format Settings selections in your JIT provisioning configuration must match the format of the assertion data you provide.