Document toolboxDocument toolbox

(no) Add External group from SSO provider




Introduction

This page describes a process for adding external group mapping.

Any external claim (group) can be mapped to any internal group - there is no need to create a group that is dedicated for external users. 



Configuration

Step 1. Select a group

Register a new group in the system or choose the one that will be used for mapping



Step 2. Open System Security Console

Mapping of groups from SSO providers must be done in Realm Management console. 

From the user menu, select Manage System Security:

Step 3. Edit realm Identity Providers

In order to create a mapping from specific claim to group or permission in the system, please follow these steps:

Open realm Identity Providers

Select configured ADFS/OpenID/SSO provider

Once a provider is selected, go to Mappers tab and select Create button to add new mapping

Step 4. Add new mapping

Add new mapping as shown below:

  • Fill in the name - that can be any "friendly name" that will let you understand later on what is this mapping about

  • Select mapper type: SAML Attribute to Role

  • Type in Attribute name: this is the attribute that will be emitted from ADFS. This is just an example it might be different on your ADFS instance, but in most cases it will be:

  • Type in Attribute Value: a group name that is emitted from ADFS

  • Select value from available Roles/Groups/Permissions using Select Role button.

 Note: mapping can be made to group (recommended) but also directly to permission or permission set, but in that case it will be harder to track and manage permissions. 





Useful information

  • Group names can differ across the systems. Original system can have a group "Accounting" that is emitted as "FMA Users" that is mapped in the system to "Users". 

  • Any group can be used for mapping, it can also include "local" users. 

  • External users are resolved in run time (during login) and members might not be displayed correctly. Current user membership will be checked at every login.