Group Assignment During SSO
If you are using SSO authentication, VAR::COMPANYNAME App Management can configure your organization to manage a user's group membership during authentication whenever a _Groups attribute is included with the user metadata.
Digital.ai App Management can add and remove a user from groups that are already defined in the system (Group Matching). Optionally, Digital.ai App Management can also create new groups and add the user to them (Group Auto-Provisioning).
If you want to manage a user's group membership during SSO authentication, let Customer Support know so they can enable SSO group management for your organization. You will need to specify if you want Group Matching only, or both Group Matching and Group Auto-Provisioning.
If Digital.ai App Management enables SSO group management for your organization, you can still add and delete groups through the Admin Portal, but you should not use the Admin Portal to modify the membership of a group. If you do use the Admin Portal to add/remove a user to/from a group, the change will be overridden by the SAML assertion sent by the authentication server the next time the user logs in to the App Catalog. For more information on managing groups through the Admin Portal, see Managing Groups.
Group Matching
When Group Matching is enabled and a user logs in to VAR::COMPANYNAME App Management with SSO, the user is added to any groups that are listed in the _Groups attribute and already exist. Digital.ai App Management ignores groups that do not identically match names of existing groups. If Digital.ai App Management is auto-provisioning a new user, it also adds the user to the "All Users" group.
If a user is a member of a group in VAR::COMPANYNAME App Management and that group (other than the All Users group) is not listed in the _Groups attribute, then the user is removed from the group; VAR::COMPANYNAME App Management does not remove users from the All Users group during SSO authentication regardless of what is in the _Groups attribute.
Example
There are two groups in an organization: Boston and Engineering. Sally is a member of the Boston, Engineering, and Testing groups on the authentication server, but is not yet a user in the VAR::COMPANYNAME App Management database. When she logs in to Digital.ai App Management with SSO for the first time, the system creates a new user and adds her to the All Users group _plus the groups listed in the Groups attribute, as long as those groups already exist. With the Groups attribute shown below (for both SAML and OAuth), Sally will be added to the All Users, Boston, and Engineering groups. The Testing group, of which Sally is a member, will be ignored because there is no Digital.ai App Management group with that identical name.
If Sally changes jobs and is removed from the Engineering group on the authentication server, the next time she logs into Digital.ai App Management she will be automatically removed from the Engineering group and will no longer see any of the applications assigned to that group. Sally will remain a member of the All Users and Boston groups, and the Testing group will continue to be ignored.
Group Auto-Provisioning
This method allows groups to be automatically created in Digital.ai App Management based on the authentication metadata. Unlike group matching, if a particular group in a user's group list does not already exist, it will be automatically added when the user logs in. Group provisioning can be useful if you don’t know which groups in a user's group list already exist in Digital.ai App Management and which do not. The downside of group provisioning is that you may end up with unneeded groups as a result of users who belong to many groups. Group provisioning can only add groups to Digital.ai App Management; to remove groups, you must manually delete them through the Admin Portal.
Example
Bob is a member of four groups; Boston, Engineering, Testing, and HR. The groups Boston and Engineering already exist, and the groups Testing and HR do not. When Bob logs in to VAR::COMPANYNAME App Management using SSO the system checks if all the groups in the _Groups attribute already exist, and creates those that do not. In this example, Bob is added to the Boston and Engineering groups, which already exist. Digital.ai App Management creates the new Testing and HR groups, and adds Bob to them. Bob will still see all the applications shared with the All Users group, in addition to any applications assigned to the Boston, Engineering, Testing, and HR groups.
If Bob changes jobs and is removed from the Testing group on the authentication server, the next time he logs into VAR::COMPANYNAME App Management he will be automatically removed from the Testing group and will no longer see any of the applications associated with that group. (Note that the Testing group will _not be removed from Digital.ai App Management.) Bob will remain a member of the All Users, Boston, Engineering, and HR groups.
