FAQ
1. Do I have to re-invite Pending users after Activating Delegated Authentication?
YES, there should not be any user in state ‘Pending’ (at invitation in Platform Management / Member & Roles) before Activating Delegated Authentication. If any then, un-invite these users from the Platform (“Remove User”), you will need to invite them again once Delegated Authentication is Activated. |
2. What email do I need to use to invite new user once SAML is enabled?
Once delegated authentication activated and when inviting new user by email: you must use the email in IdP to invite user.
For example:
If you want to invite John.Doe.external@domain.com (email from the IdP) then:
- If you use the users' 3DEXPERIENCE email attribute (John.Doe@domain2.com) to invite him, the user will not be able to consume his invitation as that email does not exists inside the IdP.
- Instead, you want to use the email attribute that exists in IdP to invite user (in this case John.Doe.external@domain.com)
Upon 1st login, John will be able to associate it with his existing 3DExperience ID John.Doe@domain2.com.
Once associated John user will appear as John.Doe@domain2.com (even though he was invited with John.Doe.external@domain.com).
In back end both accounts will remain linked together in 3DPassport.
3. I have been using the 3DEXPERIENCE platform for years, can I enable Delegated Authentication on my platform?
YES, you can activate Delegated Authentication on your existing platform, you do not need to order a new one.
4. Can I disable Delegated Authentication?
Yes, you can disable Delegated Authentication at any time, once disabled, the authentication process will go back to the default authentication process using your 3DEXPERIENCE Credentials.
To disable it, please follow the resolution procedure detailed in article belw:
QA00000334441 : Disable Passport Authentication Delegation Link : https://support.3ds.com/knowledge-base/?q=docid:QA00000334441
5. Can I provide access to Collaborative Space, Usersgroup, … to users that are still Pending?
As per the documentation: Click here
"If you invite users on a platform that has the authentication delegation activated, you cannot invite them in other platform services (User Group, 3DSwym, 3DDashboard, 3DDrive) until they log for the first time and consume their invitation.“
6. Can I use self-signed certificates?
Yes, self-signed certificates are supported on Public Cloud since3DEXPERIENCE R2024x GOLDEN.
Since 3DEXPERIENCE R2024x FD02, the Trust Store is now available on Public Cloud, you can now generate/import your own pkcs12 certificate.
It was already available on Private Cloud.
7. Can I synchronize the user information from IdP to 3DPassport ?
No, on Public Cloud, SAML Synchronization is not Supported.
8. What is the list of supported IdP Provider ?
Any IdP Provider that supports protocol SAML v2.
9. Recommendation about certificate signature?
If you are testing SAML configuration, do NOT activate message signature.
When you are ready to GO Live, please use a valid certificate signed by a valid trusted authority.
10. Can I enable the encryption of the SAML assertion
Yes, on Public Cloud the encryption of the SAML assertion is supported.
11. Does 3DPassport support SP initiated authentication?
Yes, 3DPassport only supports SP initiated authentication you need to set a Login URL / Sign ON URL.
In this field you want to add you 3Dashboard URL (it must include ifwe), it should look like something like this:
https://[platformID]-[GEO]-ifwe.3dexperience.3ds.com
12. Can I change my email address in 3DEXPERIENCE Platform?
Whether or not SAML Authentication Delegation is enabled, you can update your email address for Me > Preference.
See documentation about Updating Your Profile: Click here
13. Can I change my user account association?
Yes, since 3DEXPERIENCE R2024x FD01, Users can now change the account association:
If they connect with a different external identity, or they choose a 3DEXPERIENCE ID that is already associated to another identity, the user will be able to choose to re-associate its new enterprise identity with their existing 3DEXPERIENCE ID.
Example with a user for which the email address was changed on IdP side from john.doe@domain.com to jdoe@domain.com |
14. Can I use different certificate for the same IdP Entity?
Yes, since 3DEXPERIENCE R2024x FD01, metadata/certificate are now managed per platform.
In other words, if you have multiple platforms, you can reuse the same IdP Entity and use different certificate for each of them.