ScreenSteps

ScreenSteps  /  Single Sign-on and SCIM

Syncing Group Names through SAML

Updated on

You can perform a 1-way sync of group names from your Identity Provider (IdP) by passing those group names in the SAML claims.

This allows you to manage all group memberships in your IdP and removes the burden of having to manage those same groups in ScreenSteps.

Expand the instructions below that match the IdP you are using.

Be aware that once you set up your IdP to send group information to ScreenSteps you will no longer be able to manage group membership in ScreenSteps. Your IdP will become the single source of truth for all of your group membership.

Review instructions for your environment

Azure Active Directory, Office 365, or any other IdP that lets you manage groups

How does it work? (Overview)

  1. You add a custom claim to your SAML assertion that includes an array of group names that the user belongs to
  2. That's it!

When the user logs in, ScreenSteps will automatically assign them to groups that match the group names that come over in the SAML assertion.

If the group does not already exist in ScreenSteps, it will be created.

What is the name of the custom claim?

You will add the following claim:

http://schemas.xmlsoap.org/claims/Groups

Salesforce or another identity provider that doesn't let you manage user groups

How does it work? (Overview)

  1. You add a custom claim to your SAML assertion
  2. You define a mapping in ScreenSteps that will match the contents of the SAML claim to the group you want to associate the user with
  3. Each time the user logs in via SAML their group membership is updated based on the SAML claim.

What claim do you need to add to the SAML response?

You will add the following claim:

http://schemas.xmlsoap.org/claims/GroupsIdentifiers

It can contain any values you would like. These could be Profiles, Roles, Locations, etc.

How do you map SAML attributes to ScreenSteps Groups?

Provide us with a spreadsheet that lists the contents of the claim you will be including in the SAML assertion and which groups they should map to in ScreenSteps. For example, it might look like this:

SAML Group Claim ScreenSteps Group
Sales Region 1, Sales Region 2, Sales Region 3 Sales
Operations Team Operations
Region Director - Region 1, Region Director - Region 2 Region 1 & 2 Directors
Region Director - Region 3 Region 3 Directors

As you can see, you can use a comma separated list of possible matches. A user that matches any item in the comma separated list will be added to the corresponding group.

What should you do next?

Get in touch with our team so that we can help you get this configured. It will make management of your users and groups much simpler.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Other Resources

Recently Updated Articles

More Recently Updated Articles
Still Need Help? Contact Us