You can manage your user groups by using either your IdP or local permissions groups. You can also use a mix of both kinds of groups.
This article provides the process for mapping SAML SSO groups and also covers use cases when only a small part of your groups are getting synced from SSO to Jive, or if no groups are getting synced. This applies to SSO with services including O365 / Azure, Okta, and others.
To manage groups with SAML, you initially enable group mapping and provide the group mapping attribute. You can assign users to security groups automatically, by passing the group mapping attribute from the IdP to Jive. This attribute is used to retrieve security group names from each assertion. If a group specified within the group mapping attribute does not already exist in Jive, it will be created when you synchronize. A group that exists in Jive will be federated (if not already).
Only federated permissions groups are managed by using SAML.
To manage groups using SAML:
- Navigate to Admin Console > People > Settings > Single Sign-On > SAML > General.
- Select the Sync User Profiles Upon Login checkbox.
- Navigate to Admin Console > People > Settings > Single Sign-On > SAML > Advanced.
- Select the Group Mapping Enabled checkbox and provide the group mapping attribute in Group Name Attribute.
- In the SAML response, pass the name of each group in the response for each user. Each group name should be listed as a separate attribute value, as shown in the following example:
<Attribute name="groups"> <AttributeValue>groupOne</AttributeValue> <AttributeValue>groupTwo</AttributeValue> <AttributeValue>groupThree</AttributeValue> </Attribute>
The groups you specified in the groups attribute will automatically be federated when user members are synchronized at login.