As of 7.0, Group Mapping is now available for SSO Realms. This guide will show you what to do in FlexDeploy to enable it. If you are using OIDC, you will also need to add a scope setting.
The line
oidcConfig.scope = openid,groups,profile,email
needs to be added on the general tab if it isn’t there.
When you edit your SSO realm, you will find a tab for Group Mapping.
1 - You should toggle Enable Group Mapping on if you want to map groups. This will require a restart of FlexDeploy.
2 - If you are using Microsoft Azure or Okta, nothing should need to be changed here. Other IDPs may use other values and the value will be placed here. If you don’t know what to put, you will need to set the org.pac4j logging to FINEST and login with an SSO user. Then set the logging back to info and look for the groups in the logs. If you can’t find them, share the logs with the FlexDeploy support team.
3 - For SSO Realms, Group Mapping is a bit different from the LDAP group mapping that you may be used to. See the next screenshot for information about mapping groups.
1 To view or modify mappings, between SSO Roles or Groups and a FlexDeploy Group, click on the FlexDeploy Group on the left that you want to map to.
2 Any mapped groups are shown at the top, and you can click the button on the right to unmap them.
3 Click the dropdown to add more mappings
4 You can choose a group that you have already mapped to another FlexDeploy group if any.
5 You can click Add Group and type in a group that exists in your IDP and map it to FlexDeploy.
If you aren’t sure what the group names should be, look them up in your IDP, or set FlexDeploy logging of org.pac4j to FINEST, and login using SSO. Then download the flexdeploy.0.log file, and turn the logging back to info.
The support team can use those logs to assist you in what to type if you have trouble.