SSO Realm Group Mapping

Owned by Karl Henselin
Last updated: Nov 20, 2023 by Chandresh Patel
3 min read

As of 7.0, Group Mapping is now available for SSO Realms. This guide will show you what to do in FlexDeploy to enable it. If you are using OIDC, you will also need to add a scope setting.

The line

oidcConfig.scope = openid,groups,profile,email
needs to be added on the general tab if it isn’t there.

When you edit your SSO realm, you will find a tab for Group Mapping.

 

Area

Description

 

Area

Description

1

Enable Group Mapping

This should be enabled if you want to associate the SSO groups assigned to a user to FlexDeploy groups. Changing this flag will require a restart of FlexDeploy.

2

Group Attribute Name

When logging in via SSO, a user profile object is returned from the SSO provider that often includes things like username, display name, email etc. This also typically includes a field for the SSO groups the user belongs to. The name of that group/role field should be specified here. If the field is named groups or roles you do not need to specify this field as those will automatically be checked.

Microsoft Azure or Okta

Both Microsoft Azure and Okta return groups or roles. As such, you can omit this field if you are using one of those SSO providers.

Other providers

If you don’t know what to put, you will need to set the org.pac4j logging to FINEST and login with an SSO user. This should log the user profile object and you can inspect to find the groups or roles field. Search for a line starting with the text org.pac4j.core.client.BaseClient.retrieveUserProfile

Then set the logging back to info and look for the groups in the logs. If you can’t find them, share the logs with the FlexDeploy support team.

3

Group Mapping

In this location is where SSO groups will be mapped to FlexDeploy groups. Unlike LDAP group mapping, the available SSO groups are not displayed and instead must be manually entered.

What to enter

Whether to specify group names, ids, or some other identifier depends upon what is returned in the SSO user profile group field (see group attribute name above)

See below for a more detailed explanation of group mapping

Group Mapping

 

Area

Description

 

Area

Description

1

FlexDeploy Groups

Here you can select the FlexDeploy group that you would like SSO groups “mapped to”.

For example, if you want the SSO group admins to map to the FlexDeploy group FD Administrators, you should select FD Administrators here.

2

Mapped SSO Groups

Each mapped SSO group will show up as a row in the list on the right. You can remove the mapping by clicking the X button.

3, 4

Available SSO Groups

Previously mapped SSO groups will show up in this dropdown. Here you can select one to add a new mapping.

5

Add new SSO Group

If your SSO group is not visible in the dropdown you can add a new group by clicking the + ADD GROUP button.

If you are unsure what to specify for the group see the Group Mapping field in the table above.

 

 

The following macros are not currently supported in the footer:
  • style