Default Role and Team Assignments
Administrators use the Role Assignments section to define the platform roles and teams for a user when they log in to the platform the first time for a configured IdP. When new members of an organization sign in to the platform for this IdP, they are assigned these predefined roles and team assignments. Refer to the Roles and features section in Managing Organizations for details on the roles and capabilities available in the platform.
The Role Assignments section defines:
- Default Org Roles - The Default Org Roles section defines the org-level role a new user is assigned when they log in to the platform for the first time for the configured IdP. The default is the Developer role.
- Default Teams - The Default Teams section defines any default teams a new user is assigned, and the roles they are given in the team or teams (if any) when they log in to the platform for the first time for the configured IdP. The default is the org's Default team with the Developer role.
IdP Managed Role and Team Assignments
The Advanced Role Management section allows an org administrator to manage platform role and team assignments from attributes provided by the IdP. An administrator can define any number of mappings for org roles and team assignments (if applicable). If a user has attributes that map to multiple default roles (platform or team roles), then the user is assigned the role that has the highest access level. Also the user is assigned all service or non-platform roles that are found.
Roles defined by these mappers are assigned to any matching user authenticating using the IdP. When their role assignment changes on their IdP, the users roles within the platform are automatically updated the next time the user logs in to the platform.
The Advanced Role Management section is optional and hidden by default. The advanced mapping configuration could save time for larger organizations who have users on their IdP with defined roles and teams, but may not be applicable or advantageous to orgs that do not.
Mapping Roles and Teams
Use the Role Mapping section to map role assignments and the Team Mapping section to map team assignments to the IdP provided attributes.
To add a mapped role or team
- Click the Actions (...) menu on the Identity Provider's detail page to display the Role Mapping and Team Mapping sections (these sections are hidden by default).
- Click + Role Mapping or + Team Mapping. A blank row appears.
- Complete the following fields:
- Team (applies to the team mapping section only) - Select the team to which the role mapping applies.
- Attribute Name (for OIDC) or Friendly Name or Attribute Name (for SAML) - Copy the name of the property in the claim or assertion returned from the IdP during authentication from the Identity Provider configuration. For SAML IdPs, use either the Friendly Name or Attribute Name (not both) and the same value cannot be provided for Friendly and Attribute names across different mappers.
- Attribute Value - Type the role or access defined for the user by the IdP. This value is case sensitive.
Roles - Select the role within the platform that will be assigned to the user when a user has a matching value for the defined attribute.
Testing Mapped Attributes
After you have completed mapping roles and teams, you can test the configuration.
To test the mapping
- Click the Actions (...) menu from the Identity Provider page, and then select Test Mapped Attributes. A modal dialog displays.
- Select a User and Attribute, and then click Check User Attribute.
- Verify that the attribute mapper has stored the expected value on a user from the last time they logged into the platform.