IdP group mapping examples

Depending on the Identity Provider (IdP) you are using, you need to configure appropriate attributes that are required in the SAML assertions to be sent from your IdP to the Control Room.

We have provided few examples on how to configure attributes that are required for the Control Room to automatically provision users when configuring sing sign-on (SSO) using SAML on IdP. Use these examples as reference when configuring your IdP. For more information, see your IdP documentation.
Note: Set the ACS or service provider URL to <Enterprise Control Room URL>/v1/authentication/saml/assertion when you set up your IdP.

JumpCloud

To set up your JumpCloud SSO using SAML, perform the following steps:

  1. Configure your JumpCloud SSO using SAML. See SSO using Custom SAML Application Connectors.
  2. Add the following attributes that are required for the Control Room to automatically provision users.
    Service Provider Attribute Name JumpCloud Attribute Name
    UserID username
    FirstName firstname
    LastName lastname
    EmailAddress email
  3. Enable the GROUP ATTRIBUTES option and set the value to SecurityGroups.
  4. In User Groups, ensure to select the groups whose users need to access the Control Room.

Okta

To set up your Okta SSO using SAML, perform the following steps:

  1. Configure your Okta SSO using SAML. See Create your integration in Okta.
  2. Add the following attributes that are required for the Control Room to automatically provision users.
    Name Value
    FirstName user.firstName
    LastName user.lastName
    EmailAddress user.email
    UserID user.login
  3. In the Group Attribute Statements (optional) section, set the Name value to SecurityGroups and assign the appropriate group.
  4. After the application is created, navigate to the Assignments tab and assign the application to either people or groups.

Microsoft Azure

To set up your Microsoft Azure SSO using SAML, perform the following steps:

  1. Configure your Microsoft Azure SSO using SAML. See Create an app registration in Azure.
  2. Add the following attributes that are required for the Control Room to automatically provision users.
    Claim name Value
    EmailAddress user.email
    FirstName user.givenname
    LastName user.surname
    UserID user.userprincipalname
    SecurityGroups user.groups
  3. Ensure that you assign this application to the users who need to access the Control Room. See Manage users and groups assignment to an application.
    Note: The Object Id on your group overview page is used as the IdP group name/SID in the Control Room. See Manage Microsoft Entra groups and group membership.