User Accounts Provisioned by Just-In-Time (JIT) Provisioning

When a SAML user logs in to IBM Aspera Faspex for the first time, Faspex automatically creates a new user account based on the information provided by the SAML response. If the SAML response also contains group information, and that group does not yet exist in Faspex, Faspex automatically creates a new SAML group for each group of which the user is a member. For more information about SAML groups, see Creating SAML Groups.
Note: If an admin enables the Restrict access to known groups feature for the SAML configuration, only members of existing Faspex SAML groups can log in. This also means that new SAML groups are not automatically created when SAML users log in. For more information about SAML configuration options, see Configure SAML Options.

SAML Users and External Users

When a SAML user logs in to Faspex for the first time, Faspex checks for existing external users matching the email address of the SAML user. If such a user exists, Faspex merges the two accounts.

Group Permissions

A SAML user belonging to multiple groups is given the permissions and settings of all groups it belongs to with permissions overriding restrictions. For example, if Group A disallows sending to external users but Group B does not, users who belong to both groups are allowed to send to external users. Settings that require specific handling are as follows:
  • Account expiration is only enabled if all groups to which a user belongs specify account expiration. If account expiration is enabled, the expiration date is set to the latest expiration date from among all groups.
  • For any settings that use Server Default, Yes or Allow, and No or Deny, the setting is set to Yes if any group specifies Yes, and it is set to No if all groups are set to No. Otherwise, it is set to use the server default.
  • For package deletion policy, override is enabled if all groups specify override, or if the least restrictive group setting is less restrictive than the server-wide setting. If override is enabled, the least restrictive group setting is used. Do nothing is less restrictive than Delete files after all recipients download all files, which in turn is less restrictive than Delete files after any recipient downloads all files.
  • For advanced transfer settings, override is enabled if all groups specify override or if any group specifies any transfer rate that is higher than the server default. If override is enabled, each transfer rate is set to the higher of the highest value from among the groups and the server default. The minimum rate policy is locked only if all groups specify the setting.
Note: For more information on these settings, see SAML Group Permissions.