SAML Group and Role Mapping
Overview
By default, users who login to Mend via SSO are assigned to the "users" group. If you'd like to automatically assign users to additional groups (for example: product or org admin) you can configure group or role mapping.
Both types of mapping allow you to control group membership in Mend via your IdP groups. Each time the user logs in to Mend, their group membership will be modified as follows:
Group mapping is a one-to-one mapping: the user's IdP group assignments will simply be replicated in Mend. Groups will be automatically created in Mend if they don’t already exist.
Role mapping allows one-to-many mapping: each IdP group can be mapped to one or more groups in Mend. Groups must be manually created in Mend before they can be mapped to.
Note: SSO group and role mapping do not control permissions, they only modify group membership.
To assign permissions to groups, please see Manage Roles in the Mend Platform.
IdP configuration
To configure either type of mapping, first configure your IdP to send a group attribute via SAML. In Azure, this is called a "Group Claim" and in Okta, it's found under "Group Attribute Statements."
Note that Azure sends Group ID by default, which is a uuid. We recommend configuring the group claim to send “Cloud-only group display names” which are actually human-readable:
Group mapping - Mend configuration
Enter the name of the SAML group attribute into the "Group" field in Mend SSO config:
In Azure, the default attribute name is "groups". In Okta, you customize the name when you create the attribute.
Save your SSO config and test login. Groups should be auto-created via SAML and your user should be assigned to those groups. If users are removed from groups in the IdP, they will be removed from these groups in Mend next time they login.
Role mapping - Mend configuration
Enter the name of the SAML group attribute into the "Role" field in Mend SSO config:
In Azure, the default attribute name is "groups". In Okta, you customize the name when you create the attribute.
In the Role Mapping section below, click the "Add Role" button to configure the mapping. Enter the name of a group from your IdP (for example, "Mend_Admins") and select one or more Mend groups using the checkboxes:
Mapping “Mend_Admins” IdP group to “admins” group in Mend
Save your SSO config and test login. You should now see users assigned to Mend groups according to the role mapping you have configured. If users are removed from groups in the IdP, they will be removed from the mapped groups in Mend next time they login.