Skip to main content

Understanding userGroupAttribute and userGroupToRoleMapping for Azure and OKTA in SAML Integration

Matthew McAlister
  • Updated

In a SAML integration, userGroupAttribute and userGroupToRoleMapping play a vital role in mapping group membership data from the Identity Provider (IdP) to the Service Provider (SP). This article provides an overview of the default configurations for userGroupAttribute and userGroupToRoleMapping in Azure and Okta, along with important considerations.

 

Default userGroupAttribute and userGroupToRoleMapping for Azure:

In the SAML integration with Azure, the following default configurations are used:

userGroupAttribute:

userGroupToRoleMapping:

  • Example mapping showing Azure Group and IriusRisk role:
    • 'h06aNZyl-Bzjc-bR6X-qlew-CZvMHvbsG0sq': 'ROLE_TEST_ONLY'
    • 'IVfp1C0J-ujQT-y6Ky-2WPE-o4h5mdiEiPZR': 'ROLE_ADMIN'
    • 'a06wlKy2-3NEj-fsEv-JrPc-i6rl4YuRX2YP': 'ROLE_PORTFOLIO_VIEW'

Explanation:

  • The userGroupAttribute 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' retrieves the group membership information for the user from Azure.
  • The userGroupToRoleMapping maps the Azure Groups GUIDs to the corresponding IriusRisk Roles. This mapping ensures that the user's group membership in Azure determines their assigned role in IriusRisk.

 

Default userGroupAttribute and userGroupToRoleMapping for Okta:

When integrating IriusRisk with OKTA for SSO, the following default configurations are used:

userGroupAttribute:

  • Attribute: 'memberOf'
  • Description: This attribute holds the returned group membership data for the user.

userGroupToRoleMapping:

  • Example mapping showing OKTA Group and IriusRisk role:
    • 'Your_okta_group': 'ROLE_TEST_ONLY'
    • 'Your_okta_group': 'ROLE_ADMIN'
    • 'Your_okta_group': 'ROLE_PORTFOLIO_VIEW'

Explanation:

  • The userGroupAttribute 'memberOf' retrieves the group membership information for the user from OKTA.
  • The userGroupToRoleMapping maps the Okta Groups GUIDs to the corresponding IriusRisk Roles. This mapping ensures that the user's group membership in Okta determines their assigned role in IriusRisk

 

Considerations

  • Make sure that the names of your Azure/OKTA groups in the userGroupToRoleMapping configuration match the names of the groups in your identity provider (IDP) exactly.
  • Make sure that the names of your IriusRisk roles used in the userGroupToRoleMapping configuration match the names of the roles in your IriusRisk application exactly.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk