Administrators use the Role Assignments section to define the platform roles and teams for a user when they log in to the platform the first time for the a configured IdP. When new members of an organization sign in to the platform for this IdP, they are assigned these predefined roles and team assignments. Refer to the Roles and features section in Managing Organizations for details on the roles and capabilities available in the platform.
Use the Role Mapping section to map role assignments and the Team Mapping section to map team assignments to the IdP provided attributes.
To add a mapped role or team
- Click the Advanced Role Management toggle to the Actions (...) menu on the Identity Provider's detail page to display the Role Mapping and Team Mapping sections (these sections are hidden by default).
- Click + Role Mapping or + Team Mapping. A blank row appears.
- Complete the following fields:
- Team (applies to the team mapping section only) - Select the team to which the role mapping applies.
- Attribute Name (for OIDC) or Friendly Name or Attribute Name (for SAML) - Copy the name of the property in the claim or assertion returned from the IdP during authentication from the Identity Provider configuration. For SAML IdPs, use either the Friendly Name or Attribute Name (not both) and the same value cannot be provided for Friendly and Attribute names across different mappers.
- Attribute Value - Type the role or access defined for the user by the IdP. This value is case sensitive.
Roles - Select the role within the platform that will be assigned to the user when a user has a matching value for the defined attribute.
The image is for SAML. The only difference between the OIDC and SAML configuration is that the OIDC requires the Attribute Name only and SAML requires the Friendly Name or Attribute Name.
After you have completed mapping roles and teams, you can test the configuration.
To test the mapping
- Click the Actions (...) menu from the Identity Provider page, and then select Test Mapped Attributes. A modal dialog displays.
- Select a User and Attribute, and then click Check User Attribute.
- Verify that the attribute mapper has stored the expected value on a user from the last time they logged into the platform.