Map User Group Assignments

You can use attribute mappers to ensure that your users inherit the correct user group assignments in the Digital.ai Platform. For You can use attribute mappers to ensure that your users inherit the correct user group assignments in the Digital.ai Platform. For more information about mappers and what they do, see Map User Data.

Prerequisites

Before you begin, you must have already configured your SSO connection. For more information, see Manage Identity Providers.

Add any groups you want to map in the Platform and check Sync with IdP. The name of the Groups in the Platform needs to match exactly the Group name that is being sent from the IdP.

note

For Azure AD, only Group ID's are sent, so the Group names in the Platform need to be the Group ID's being sent.

IdP Group to Platform Group Mapping

You can create a mapper to enroll your SSO users in the correct Platform groups. This is important in order to bridge the gap between your IdP and a Digital.ai Products, so that users can be automatically assigned appropriate roles in each Product.

You only need to create one mapper for this purpose. This mapper identifies and informs the system which claim from the Identity Provider (IDP) contains the groups the user belongs to.

1. In the left navigation, under SSO, click Identity providers.
2. Find the IdP you want to edit, then click the Edit icon under Actions.
3. Click Next until you reach the Mappers page.
4. Click the Add dropdown and click Group mapping.
5. In Claim, enter the name of the group claim from your IdP.
6. Click Add mapper.

IdP Group to Platform Role Mapping

By default, any users created when logging into the Platform via an IdP are assigned the account-user role. If you would like to assign users a different role based on their Group access in the IdP that can be accomplished using a Group to Roles mapper.

This will only affect the user's role in the Platform itself, and will not have any impact on users or permissions in any individual products.

note

This will only affect the user's role in the Platform itself, and will not have any impact on users or permissions in any individual products.

This is how to assign the account-admin role to any users in the IdP Group allAdmins.

1. On the same Mappers page, click the Add dropdown and click Mapper.
2. In Name, enter something descriptive like allAdmins mapper.
3. Leave Sync Mode as INHERIT.
4. In Mapper Type, choose Advanced Claim to Role.
5. In New Key, enter groups.
6. In New Value, enter allAdmins (the name of the group coming from the IdP).
7. In Select Role, choose account-admin (the Platform role that this group's users should belong to)
8. Click Add mapper.
9. Repeat the previous step for each group that you want to map to a role.

Group Mapping Workflow

Any group mapping for a user will be applied after the user logs into the Platform via their IdP. When a user logs in via the IdP, here are the steps that take place:

1. The Platform checks the token sent over from the IdP to see if there are any groups.

note

The claim/assertion checked is the claim/assertion defined in the Group Mapper added to your IdP. See step 5 in IdP Group to Platform Group Mapping.

2. The Platform places the user in any Groups that have a name that matches the Group sent from the IdP if Sync with IdP is set to True for the Group.