SAML SSO Settings

Overview

PC Matic supports SAML 2.0 Single Sign-On (SSO) and SCIM provisioning for centralized authentication, user lifecycle management, and role-based access control through your Identity Provider (IdP).

This guide explains how to:

• Configure SAML authentication
• Configure SCIM provisioning
• Synchronize users and groups
• Assign roles through group and attribute mappings
• Validate your deployment before enforcing access controls

1. Configure SAML Single Sign-On

Navigate to the Identity Provider section of the PC Matic Management Console.

PC Matic provides the values required to configure a SAML application within your Identity Provider.

Configure the following settings using the values displayed in PC Matic:

Required Email Claim

PC Matic must receive the user's email address either:

• As the SAML NameID, or
• Through the required email claim URI

Configure the following attribute statement within your Identity Provider:

After creating the application in your Identity Provider, copy the Identity Provider Metadata URL and paste it into PC Matic to complete the SAML trust relationship.

2. Configure SCIM Provisioning

SCIM provisioning enables automated lifecycle management between your Identity Provider and PC Matic.

Supported SCIM Operations

PC Matic supports:

• User creation
• User updates
• User deactivation
• User reactivation
• Group creation
• Group updates
• Group renaming
• Group membership additions
• Group membership removals
• Group deactivation and removal

Note: SCIM DELETE operations do not permanently remove global PC Matic user records. Delete operations are treated as lifecycle deactivation events.

Navigate to the SCIM Provisioning section of the PC Matic Management Console.

Configure Lifecycle Source

Before generating a provisioning token, change the User Lifecycle Source from PCM Managed to SCIM Managed.

Provisioning tokens cannot be generated while the account remains in PCM Managed mode.

SCIM Configuration

Configure the following settings within your Identity Provider:

After configuration is complete, perform a provisioning connection test from your Identity Provider.

3. Configure Login Authorization Mode

PC Matic supports two authorization modes when using SCIM-managed lifecycle.

Advisory Mode

In Advisory Mode:

• SCIM is treated as the authoritative lifecycle source.
• Users may still authenticate even if access mappings are incomplete.
• Missing role assignments do not prevent sign-in.
• Advisory Mode is recommended during deployment, migration, and validation.

Enforced Mode

In Enforced Mode:

• SCIM remains the authoritative lifecycle source.
• Users must have a resolved access assignment before authentication is permitted.
• Unresolved users may be blocked from accessing the PC Matic Management Console.

Access may be resolved through:

• SCIM Group Push mappings
• Direct SCIM role assignments
• Direct SAML role assignments
• Default Provisioning Role assignments

Organizations should validate all access mappings before enabling Enforced Mode.

4. Assign Users and Groups

After configuring SAML and SCIM, assign users and groups to the application within your Identity Provider.

Note: Users assigned to the application are not necessarily the same users who have PC Matic installed on their endpoints.

After assignment, allow your Identity Provider to synchronize users and groups to PC Matic.

5. Verify Synchronization Status

After synchronization completes, review the Migration Command Center.

Figure 3. Migration Command Center

The Migration Command Center provides visibility into:

• Active PC Matic users
• Active SCIM users
• Users requiring migration
• Synchronized groups
• Access resolution status
• SCIM health
• Recent synchronization activity

Review the Dry-Run Preview section to identify users who may require attention before enforcing SCIM-managed access.

The SCIM Health panel displays provisioning token status, synchronization history, and recent provisioning failures.

6. Configure Role Resolution

Access within PC Matic may be determined from multiple sources.

Role Resolution Sources

Roles may be assigned through:

1. SCIM Group Push mappings
2. Direct SCIM role attributes
3. Direct SAML role attributes
4. Default Provisioning Role assignments
5. Existing PC Matic role assignments during migration and advisory states

Users may be successfully provisioned before role assignments have been fully configured.

In these situations, users may appear within PC Matic but display a status indicating that a role assignment is still required.

7. Map Groups to Roles

After groups have synchronized successfully, map each synchronized group to the appropriate PC Matic role.

These mappings determine how group membership translates into access within the PC Matic Management Console.

8. Configure Group Priority

Group priority determines which role assignment is selected when a user belongs to multiple synchronized groups.

Priority Rules

• Lower numerical priority values take precedence over higher values.
• Direct user-level role assignments take precedence over group-based assignments.
• Group-based assignments take precedence over default role assignments.
• Default Provisioning Roles are evaluated last.

Review priorities carefully to ensure users receive the intended permissions.

9. Password Authentication and Fallback Access

PC Matic does not synchronize passwords from your Identity Provider.

If password fallback authentication is enabled:

• Users authenticate using a PC Matic password.
• Identity Provider passwords are never copied to PC Matic.
• Password fallback is intended for break-glass access, troubleshooting, and deployment validation.
• Single Sign-On should remain the primary authentication method.

10. SCIM Support Notes

PC Matic supports standard SCIM provisioning operations with the following limitations:

• SCIM Bulk operations are not supported.
• Password synchronization is not supported.
• SCIM password change operations are not supported.
• SCIM sorting operations are not supported.
• ETag/version concurrency controls are not supported.
• Filtering support is limited to commonly used equality-based filters.

Validation Checklist

Before enabling Enforced Mode, verify the following:

☐ SAML application created successfully

☐ SP Entity ID configured correctly

☐ ACS / Reply URL configured correctly

☐ Required email claim configured

☐ Identity Provider metadata imported into PC Matic

☐ Lifecycle Source changed to SCIM Managed

☐ SCIM Base URL configured

☐ Provisioning token generated successfully

☐ Users assigned to the application

☐ Groups assigned to the application

☐ Users provision successfully

☐ Groups synchronize successfully

☐ Group-to-role mappings configured

☐ Migration Command Center reports healthy SCIM status

☐ Test users can authenticate successfully

☐ Access resolution verified for all required user groups

☐ Advisory Mode validation completed

Troubleshooting

User Cannot Sign In

Verify:

• The user is assigned to the application in the Identity Provider.
• The user is active in SCIM.
• The user's email matches their PC Matic account.
• The required email claim is being sent.
• Access has been resolved through role assignment, group mapping, or a default role.

User Shows "Role Required"

Verify:

• Group synchronization completed successfully.
• Group-to-role mappings have been configured.
• Direct role attributes are being sent correctly.
• A Default Provisioning Role is configured if desired.

User Not Provisioned Through SCIM

Verify:

• Lifecycle Source is set to SCIM Managed.
• The provisioning token is valid.
• The SCIM Base URL is configured correctly.
• The user is assigned to the application within the Identity Provider.

Incorrect Role Assigned

Verify:

• Group synchronization completed successfully.
• Group-to-role mappings are configured correctly.
• Group priority values are configured correctly.
• Direct user-level role assignments are not overriding group assignments.

PC Matic SSO and SCIM Configuration Guide