Once the initial SSO configuration is in place, your team will begin building and validating the connection between your IdP and AFS. AFS requires product specific attributes in each SAML Response to successfully authenticate and provision users.

TrueChecks SAML Assertions

At a minimum, AFS expects the following standard claim for all requests:

• NameIdentifier – The user’s unique identifier, typically their email address. This must be unique across all users of the portal.

For automated user provisioning, the following fields are required:

• FirstName – User’s First Name

• LastName – User’s Last Name

• Email – User’s Email Address

• TellerId – User’s Teller ID

• BranchId – User’s Branch ID

Optional fields include:

• UserRoles – Comma separated list of roles that should be assigned to the user in the AFS Portal. Available roles vary based upon client licensing. Available roles can be acquired from a client administrator on the AFS portal or by contacting AFS Support. If no roles are passed, the user will be created but will have no access.

• Status – Accepts values of Active, Disabled, or Deleted. This is used to enable a new user, temporarily disable a user, or permanently delete a user. If no value is passed, the user is assumed to be Active.

Positive Pay SAML Assertions

At a minimum, AFS expects the following attributes for all requests:

• NameIdentifier – The user’s unique identifier, typically their email address. This must be unique across all users of the portal.

• Email – User’s Email Address

For automated user provisioning, the following fields are required:

• FirstName – User’s First Name

• LastName – User’s Last Name

Optional fields include:

• UserRoles – Two formats are supported:

  • Comma-Separated Format: A simple, comma-separated list of roles to assign to the user. These roles must match exactly with roles created in the Positive Pay Portal. In this format, all specified roles are applied to all available accounts associated with the Business Client by default.

  • JSON Format: A JSON array of role-to-account mappings. This format allows each role to be explicitly associated with one or more accounts. Accounts must be passed as either the Account ID value or a Routing Number + Account Number combination.

    • Note: When passed as part of a SAML assertion, the JSON object must be properly escaped.

    [
      {
        "Role": "Role1",
        "Accounts": "123456789,987654321"
      },
      {
        "Role": "Role2",
        "Accounts": "123456789"
      }
    ]

    plaintext

• Status – Accepts the value Active to indicate that the user is active. If the Status attribute is omitted, the user is also treated as active. Any value other than Active is interpreted as indicating a deactivated user. For example, values such as Disabled, Deleted, or Deactivated will all result in the user being deactivated.

• BusinessClientId – ID of the Business Client in Positive Pay. Required only for provisioning Business Client users. Not required when provisioning Financial Institution users. Two ID values are supported:

  • AFS assigned ID from the Business Client grid

    

  • Client assigned Client ID from the Business Client’s Account Settings