This feature is only available to users on our Enterprise plan. If you're interested in upgrading to an Enterprise plan, please reach out to us at <[email protected]>.
ScreenSteps supports user group assignment via the SAML Assertion that an IDP sends to ScreenSteps when a user logs in. To turn this feature on the Manage each user's groups through IDP checkbox needs to be checked in the Identity Provider (IDP) configuration in ScreenSteps.
When using this feature the groups assigned when logging in from the IDP will be the only groups the user is associated with. If you manually add the user to other groups in ScreenSteps they will be removed from the groups the next time they log in.
ScreenSteps checks for the following attribute names in the order listed for setting the groups a user belongs to:
-
http://schemas.xmlsoap.org/claims/Groups
http://schemas.microsoft.com/ws/2008/06/identity/claims/group
The attribute can contain one or more <AttributeValue>
elements with a group name. In the following example the user would be assigned to the Call Center Agents and Call Center Agent Administrator groups each time they log in.
<Assertion ...>
<AttributeStatement>
...
<Attribute Name="http://schemas.xmlsoap.org/claims/Groups">
<AttributeValue>Call Center Agents</AttributeValue>
<AttributeValue>Call Center Agent Administrator</AttributeValue>
</Attribute>
...
</AttributeStatement>
</Assertion>
Any groups listed in the attribute will be combined with the group associated with the IDP in the User Properties tab of the IDP configuration in ScreenSteps. In the example above the user would end up being associated with three different groups each time they log in.
If a group included in the attribute doesn't exist in ScreenSteps it will be created.
0 Comments
Add your comment