Set SAML Single Sign-On User Group Mapping Rules
Suppose you have configured different User Groups and Access Groups to provide these User Groups with least privilege access to authorized resources. In that case, you can easily enforce these access restrictions based on any appropriate user information being maintained in your Identity Provider by using SAML User Group mapping rules.
If you have configured different User Groups and Access Groups to provide these User Groups with least privilege access to authorized resources, you can easily enforce these access restrictions based on any appropriate user information being maintained in your Identity Provider by using SAML User Group mapping rules.
To use attribute-based access control based on the department, you created different CloudConnexa User Groups and Applications and have configured Access Groups restricting each User Group to access only applications authorized for that department. For example, User Group HR can access App A, X, and Y, and User Group Finance can access App B and Z. Now what is left to do is to get the department information when a user logs in with SSO and assign the user to the correct CloudConnexa User Group. SAML User Group Mapping Rules allow you to map the values of a SAML attribute selected to represent the Group to specific CloudConnexa User Groups.
Note
You need to configure your Identity Provider to send the attribute that contains the values you want to map to User Groups in response to the authentication request. Refer to SAML Configuration Tutorials and SAML Configuration Videos.
Once you have mapped the attribute being sent across by the IdP to Group in the Attribute Mapping step(refer to Set SAML Single Sign-On authentication for Users), add a SAML User Group Mapping rule by following the steps below:
Navigate to Settings > User Authentication.
Click Edit, which is located in the top right corner.
Click User Group Mapping in the SAML Single Sign-On section.
Toggle the User Group Sync from IdP switch to ON.
Click Add Rule.
Enter the value(s) set in the IdP attribute and select one of the CloudConnexa User Groups from the drop-down it should map to. Provide a Priority to the rule, with 1 being the highest.
Note
If the IdP provided value matches with multiple rules, the one with the highest priority will be used to map the User to the CloudConnexa User Group. If the value does not match with any of the mapping rules, the User will be mapped to the CloudConnexa User Group configured in the Unmapped SAML IdP User Groups section.
Click Add Rule
Click Cancel to exit.
Note
CloudConnexa will receive any user configuration change made on the Identity Provider after the user’s next successful authentication. If a user is deleted or disabled on IdP, the user must be deleted from CloudConnexa.
Tutorial showing how to set SAML User Group Mapping Rules
Edit a User Group Mapping Rule
To edit a User Group Mapping Rule, follow the steps below:
Navigate to Settings > User Authentication.
Click Edit, which is located in the top right corner.
Click User Group Mapping in the SAML Single Sign-On section.
The list of rules will be shown in the User Group Mapping Rules table with the Edit and the Delete icons for each rule record. Each rule record will also have Decrement and Increment icons.
Click the Edit icon next to the rule record that needs to be changed.
Make the required changes.
Click Update Rule.
Click Cancel to exit.
Change the priority of a User Group Mapping Rule
If the IdP provided value matches with multiple rules, the one with the highest priority will be used to map the User to the CloudConnexa User Group. If the value does not match with any of the mapping rules, the User will be mapped to the CloudConnexa User Group configured in the Unmapped SAML IdP User Groups section.
To change the priority of a rule, you can edit it and change the priority value, or you can use the Decrement and Increment icons by following the steps below:
Navigate to Settings > User Authentication.
Click Edit, which is located in the top right corner.
Click User Group Mapping in the SAML Single Sign-On section.
The list of rules will be shown in the User Group Mapping Rules table with the Edit and the Delete icons for each rule record. Each rule record will also have Decrement and Increment icons.
Click the Increment/Decrement icons next to the rules to arrange the rules by the needed priority in the table. The priorities of the affected rules are automatically updated.
Click Cancel to exit.
Delete a User Group Mapping Rule
To delete a User Group mapping rule, follow the steps below:
Navigate to Settings > User Authentication.
Click Edit, which is located in the top right corner.
Click User Group Mapping in the SAML Single Sign-On section.
The list of rules will be shown in the User Group Mapping Rules table with the Edit and the Delete icons for each rule record. Each rule record will also have Decrement and Increment icons.
Click the Delete icon next to the rule record that needs to be deleted.
Click Delete in the confirmation dialog box.
Click Cancel to exit.