Skip to main content
Version: 2024.12.12

Map User Group Assignments

You can use attribute mappers to ensure that your users inherit the correct user group assignments in the Digital.ai Platform. For more information about mappers and what they do, see Map User Data.

Group Mapping Workflow

Any group mapping for a user will be applied after the user logs into the Platform via their IdP. When a user logs in via the IdP, here are the steps that take place:

  1. The Platform checks the token sent over from the IdP to see if there are any groups.
note

The claim/assertion checked is the claim/assertion defined in the Group Mapper added to your IdP. See step 5 in IdP Group to Platform Group Mapping.

  1. The Platform places the user in any Groups that have a name that matches the Group sent from the IdP if Sync with IdP is set to True for the Group.

After creating the required groups and mappers in your IdP and configuring them in our system, when a user signs in, the system will inspect the group claims in their SAML or OIDC token. It will then look for a matching group in the Platform and assign the user to that group. If the user signs into an application like Release or Deploy, they will automatically be added to the appropriate group membership for that application.

Prerequisites

Before you begin, you must have already configured your SSO connection. For more information, see Manage Identity Providers.

You must also have already created one or more user groups in the Platform. For more information, see User Groups.

IdP Group to Platform Group Mapping

You can create a mapper to enroll your SSO users in the correct Platform groups. This is important in order to bridge the gap between your IdP and a Digital.ai Product, so that users can be automatically assigned the appropriate roles in the Product.

You only need to create one mapper for this purpose, as it will pass all group IDs from your IdP and place users in correct groups in the Platform.

  1. In the left navigation, under SSO, click Identity providers.
  2. Find the IdP you want to edit, then click the Edit icon under Actions.
  3. Click Next until you reach the Mappers page.
  4. Click the Add dropdown and click Group mapping.
  5. In Claim, enter the name or object ID (Azure AD only) of the group claim from your IdP.
  6. Click Add mapper.

IdP Group to Platform Role Mapping

You may also want to create mappers to assign Platform-specific roles to users based on their group assignments in your IdP (for example, if you want to give the account-admin Platform role to users in an allAdmins IdP group). Users are automatically assigned the account-user Platform role by default if you do not create these mappers.

note

This will only affect users that need to work in the Platform itself (administrators, IT personnel, etc), and would not have any impact on users or permissions in any individual products.

note
  1. On the same Mappers page, click the Add dropdown and click Mapper.
  2. In Name, enter something descriptive like allAdmins mapper.
  3. Leave Sync Mode as INHERIT.
  4. In Mapper Type, choose Advanced Claim to Role.
  5. In New Key, enter groups.
  6. In New Value, enter allAdmins (the name of the group coming from the IdP).
  7. In Select Role, choose account-admin (the Platform role that this group's users should belong to)
  8. Click Add mapper.
  9. Repeat the previous step for each group that you want to map to a role.