Limitations of SAML Configuration

IdP Metadata Certificate Expiry

The Identity Provider (IdP) metadata XML file that you exported to configure Lighthouse contains a certificate that is used to authenticate that the SAML response came from your IdP.

Different IdPs have different expiry periods for these certificates, consult your IdP’s documentation to find their expiry period. When your IdP’s certificate expires you will need to regenerate it then re-export your IdP metadata and update your Lighthouse configurations. If your IdP supports sending expiry notifications to your admin, we recommend you enable these notifications.

Making Changes to User Permissions

When you change the permissions assigned to a Lighthouse user in your IdP (via LH_Groups SAML attribute), the changes will not take effect until the user logs out and back into Lighthouse.

If you need to quickly restrict a user's access, consider altering the permissions of or deleting that user’s user groups on Lighthouse. You can also set a low Web Session Timeout.

SAML SSO User groups

The LH_Groups attribute can be used to place SSO users in any Lighthouse user group except Lighthouse’s default admin group. You can allow users to login with admin privileges by simply creating another user group in Lighthouse with the admin role and assigning the matching role/group in your IdP to the user (i.e. populate LH_Groups to include its value).

SAML SSO Users

SAML Users can only be managed in your IdP and will not appear under Lighthouse User Management.

SAML users have no access to either Web terminal or SSH functionality via the Lighthouse web interface.