How to Manage User Groups Through your Identity Provider using the SAML Assertion

Updated on

This feature is only available to users onĀ our Enterprise plan. If you're interested in upgrading to an Enterprise plan, please reach out to us at <[email protected]>.

ScreenSteps supports user group assignment via the SAML Assertion that an IDP sends to ScreenSteps when a user logs in. To turn this feature on the Manage each user's groups through IDP checkbox needs to be checked in the Identity Provider (IDP) configuration in ScreenSteps.

Manage user groups

When using this feature the groups assigned when logging in from the IDP will be the only groups the user is associated with. If you manually add the user to other groups in ScreenSteps they will be removed from the groups the next time they log in.

ScreenSteps checks for the following attribute names in the order listed for setting the groups a user belongs to:


The attribute can contain one or more <AttributeValue> elements with a group name. In the following example the user would be assigned to the Call Center Agents and Call Center Agent Administrator groups each time they log in.

<Assertion ...>
    <Attribute Name="">
      <AttributeValue>Call Center Agents</AttributeValue>
      <AttributeValue>Call Center Agent Administrator</AttributeValue>
Click to copy

Any groups listed in the attribute will be combined with the group associated with the IDP in the User Properties tab of the IDP configuration in ScreenSteps. In the example above the user would end up being associated with three different groups each time they log in.

If a group included in the attribute doesn't exist in ScreenSteps it will be created.


Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Previous Article Setting Up Your Application to Use ScreenSteps Remote Authentication (Not SAML)
Next Article Locating the Entity ID or Issuer for SSO configuration
Still Need Help? Contact Us