The following section provides information about SSO team mapping, which is an optional setup feature. If you're interested in using team mapping, please continue reading below.
Contents:
Team Mapping
Team Mapping is used to help handle your organization’s teams from within your Identity Provider (IdP). This will enable users to be assigned to a team automatically once they have either registered or signed in to the platform for the first time.
For us to set up your Team Mapping, we require the following:
- The groups required to be configured by your Integrations Team
- The ‘team_title’ attribute to be set up, as described below
- The list of values you have assigned each group and which team in Immersive you would like this mapped to.
Optional Feature - If you would like different teams to have different licenses, simply let us know which license you would like each team to have so we can assign them. This will mean that as users register or move into a different team, they will be assigned the associated license.
Team_title Attribute
The ‘team-title’ attribute will let us know to which IdP group that the user should belong. Since users can be included within multiple teams, we can accept many different values for the ‘team-title’ attribute.
For us to set this up, we require the ‘team_title’ attribute to be named exactly as follows:
urn:mace:dir:attribute-def:team-title
Please, let us know the values you choose for each group and the corresponding team in Immersive, to which you would like them mapped. Here’s an example of how this may look:
| IdP Group | IL Team Name | Product |
| NAM_SOC | North America - SOC | Immersive Cyber Pro |
| GLOBAL_PRODUCT_DEVELOPMENT | Developers | Immersive AppSec |
| GLOBAL_FINANCE | Operations | Immersive Workforce |
| GLOBAL_LEGAL | Operations | Immersive Workforce |
Nested teams
Please document and share the Prefix and Delimiter you will be using in the claim/attribute value they send for nested teams.
| Delimiter | When this option is configured, if a user logs in via SSO and the response received from the IdP includes team metadata, the team titles will be treated as a nested path separated by the delimiter value. |
| Prefix | When this option is configured, if a user logs in via SSO and the response received from the IdP includes team metadata, the team titles will be treated as a nested path starting with the prefix value. |
Please see this example team_title attribute value, the prefix would be {PREFIX} and the delimiter would be / to indicate the start of the next level of teams:
{PREFIX}team_1/Sub_team_1
Configuration of SSO Team Mapping
We can also configure SSO team mapping to meet your specific requirements. There are two options for this setting below:
| Feature | Description |
| SSO creates new teams (optional) | If enabled, when a user signs in with an unmapped IdP group, a team will be created matching the unmapped IdP group’s name. If disabled, users will only be added to teams that are mapped to the IdP group received. |
| SSO removes users from existing teams |
If enabled, you can use SSO to automate the movement and removal of users from teams, however it will mean that you can’t add users to teams that aren’t mapped to IdP groups as we will use the value in that attribute as the point of truth for the user. If disabled, users will be added to teams received from your IdP, but will not be removed automatically. |
Comments
0 comments
Article is closed for comments.