Assign Single Sign-On (SSO) Roles in an Organization

If an organization has enabled Single Sign-On (SSO), then user provisioning and role management are handled through the SSO configuration. If your organization has enabled SSO, you must map your identity provider groups to SSO roles in your organization.

📘

NOTE

If SSO is enabled for an organization, you will not be able to add users with an email.

To map your identity provider groups to SSO roles, do the following:

  1. Sign in to the TDP as an admin.
  2. In the left navigation pane, select the hamburger menu icon. Then, choose Administration.
  3. Choose Organization Settings. The Organization Settings page appears.
  4. Select the Login Users tab.
Organization Settings Page > Login Users tab

Organization Settings Page > Login Users tab

  1. SelectSSO Role Mapping from Identity Groups. The SSO Role Mapping from Identity Groups dialog appears.
SSO role mapping for selected organization

SSO Role Mapping from Identity Groups dialog

  1. Enter a group mapping for each TDP role type (Admin role, Member role, and Read Only role) and Active Directory (AD) groups below the labels.
  2. Choose Save.

📘

NOTE

  • If any user who logs in through SSO that belongs to a certain Active Directory (AD) group is mapped to a TDP role, the user is automatically provisioned into that organization the next time they log in.
  • All group information is stored in a user object in AD and in an attribute defined as the SSO_GROUPS_ATTRIBUTE environment variable. This attribute may have more than one value when a user logs in. The TDP will select the highest role available.