Permission Groups can be automatically assigned to the user during the initial provisioning / creation and updated as needed on subsequent authentications.
Groups Mapping can be configured within the Authenticator via the following field options:
Group Value(s) Mapping:
If Group Name values are provided in the assertion and match exactly the Group Name values available in IntelligenceBank, these Groups can be automatically assigned to the user. Supported assertion parameters are "groups" or "member-of".
Only Map Group Value(s) on User Creation:
If Group Value(s) Mapping is enabled, you can chose for the feature to only apply when a user is initially automatically created as part of the assertion. This requires Auto User Creation on SSO setting to be enabled under Admin > Settings.
Group Value(s) Mapping Type:
This option defines the behavior of the mapping as per the below.
On initial user creation, if there is a Template user in the system, the Groups from the assertion follow are either MERGED with the Template User Groups or REPLACE the Template User Groups.
If there is no Template user enabled in the system, the Groups are assigned to the user in both scenarios where Merge or Append is enabled.
If no values are matched, then the user will not be created.
On Updates/Subsequent Assertions:
REPLACE - Group values in the assertion replace any existing groups values available against the user account at the time of assertion.
This does not apply if there are no Groups listed in the assertion OR if zero of the Group name values from the assertion can be matched with, as in this case the current Group values are kept (the User should not have 0 group).
MERGE - Group values are appended to/ merged with any existing groups available for the existing user at the time of the assertion.
Note that Multiple Values can be provided in the assertion - pending the source field type used is designed for a multi-value output.
Please sign in to leave a comment.