Assign Single Sign-On (SSO) Roles in an Organization

As an Organizational Admin, if the organization has enabled Single Sign-On (SSO), then user provisioning and role management are handled through the SSO configuration. You will need to map your identity provider groups to SSO roles in an organization.



If SSO is enabled for an organization, you will not be able to add users with an email.

To map your identity provider groups to SSO roles:

  1. On the left side of the page, click Account from the expanded menu.
  2. Click Organization Details to open the Organization details page:

Organization details page with SSO enabled

  1. From the Organization details page, click SSO Role Mapping from Identity Groups.

SSO role mapping for selected organization

  1. From the SSO Role Mapping from Identity Groups dialog, enter a group mapping for each TDP role type on the left (Admin role, Member role, and Read-only role) and AD (active directory) groups on the right.

If any user who logs in via SSO that belongs to a certain AD group is mapped to a TDP role, the user will automatically be provisioned into that organization the next time they log in.

All group information is stored in a user object in AD and in an attribute defined as the SSO_GROUPS_ATTRIBUTE environment variable. This attribute may have more than one value, however, when a user logs in, the TDP will select the highest role available.

  1. Click Save when completed.