As of 7.0, Group Mapping is now available for SSO Realms. This guide will show you what to do in FlexDeploy to enable it. If you are using OIDC, you will also need to add a scope setting. See TODO about that.
...
The line
oidcConfig.scope = openid,groups,profile,email
needs to be added on the general tab if it isn’t there.
When you edit your SSO realm, you will find a tab for Group Mapping.
...
...
Area | Description | |
---|---|---|
1 |
...
Enable Group Mapping |
...
This should be enabled if you want |
...
to associate the SSO groups assigned to a user to FlexDeploy groups. Changing this flag will require a restart of FlexDeploy. |
2 |
...
Group Attribute Name | When logging in via SSO, a user profile object is returned from the SSO provider that often includes things like username, display name, email etc. This also typically includes a field for the SSO groups the user belongs to. The name of that group/role field should be specified here. If the field is named
| ||||||||||||
3 |
...
Group Mapping |
...
1 To view or modify mappings, between SSO Roles or Groups and a FlexDeploy Group, click on the FlexDeploy Group on the left that you want to map to.
2 Any mapped groups are shown at the top, and you can click the button on the right to unmap them.
3 Click the dropdown to add more mappings
4 You can choose a group that you have already mapped to another FlexDeploy group if any.
5 You can click Add Group and type in a group that exists in your IDP and map it to FlexDeploy.
If you aren’t sure what the group names should be, look them up in your IDP, or set FlexDeploy logging of org.pac4j to FINEST, and login using SSO. Then download the flexdeploy.0.log file, and turn the logging back to info.
...
In this location is where SSO groups will be mapped to FlexDeploy groups. Unlike LDAP group mapping, the available SSO groups are not displayed and instead must be manually entered.
See below for a more detailed explanation of group mapping |
Group Mapping
...
Area | Description | |
---|---|---|
1 | FlexDeploy Groups | Here you can select the FlexDeploy group that you would like SSO groups “mapped to”. For example, if you want the SSO group |
2 | Mapped SSO Groups | Each mapped SSO group will show up as a row in the list on the right. You can remove the mapping by clicking the X button. |
3, 4 | Available SSO Groups | Previously mapped SSO groups will show up in this dropdown. Here you can select one to add a new mapping. |
5 | Add new SSO Group | If your SSO group is not visible in the dropdown you can add a new group by clicking the + ADD GROUP button. If you are unsure what to specify for the group see the Group Mapping field in the table above. |