(no) Add External group from SSO provider
Introduction
This page describes a process for adding external group mapping.
Any external claim (group) can be mapped to any internal group - there is no need to create a group that is dedicated for external users.
Configuration
Step 1. Select a group
Register a new group in the system or choose the one that will be used for mapping
Step 2. Open System Security Console
Mapping of groups from SSO providers must be done in Realm Management console.
From the user menu, select Manage System Security:
Step 3. Edit realm Identity Providers
In order to create a mapping from specific claim to group or permission in the system, please follow these steps:
Open realm Identity Providers
Select configured ADFS/OpenID/SSO provider
Once a provider is selected, go to Mappers tab and select Create button to add new mapping
Step 4. Add new mapping
Add new mapping as shown below:
Fill in the name - that can be any "friendly name" that will let you understand later on what is this mapping about
Select mapper type: SAML Attribute to Role
Type in Attribute name: this is the attribute that will be emitted from ADFS. This is just an example it might be different on your ADFS instance, but in most cases it will be:
Type in Attribute Value: a group name that is emitted from ADFS
Select value from available Roles/Groups/Permissions using Select Role button.
Note: mapping can be made to group (recommended) but also directly to permission or permission set, but in that case it will be harder to track and manage permissions.
Useful information
Group names can differ across the systems. Original system can have a group "Accounting" that is emitted as "FMA Users" that is mapped in the system to "Users".
Any group can be used for mapping, it can also include "local" users.
External users are resolved in run time (during login) and members might not be displayed correctly. Current user membership will be checked at every login.