Sync groups from your SSO provider

  • Updated

In Opti ID, user access to any entitled product is done using groups. For more information on groups in Opti ID, see Groups.

To ease the process of assigning users to groups, Opti ID lets you automatically add users to existing groups within Opti ID when they sign in. To enable this, you must configure single sign-on (SSO) within your Opti ID organization and you must configure the SSO provider to send a groups claim with the assertion during user login.

  • The groups claim must be a string array. The string values must be the names of the groups as represented in Opti ID.
  • The groups specified in the groups claim must already exist in the Opti ID organization that the SSO provider exists in.
  • In the Opti ID organization, the Everyone and Admin Center Administrators groups are noneditable.
    • Everyone – Reflects everyone in your organization. User membership to the Everyone group is not affected by any groups sent by your SSO provider.
    • Admin Center Administrators – Reflects administrators of the Opti ID Admin Center. You must create this group in your SSO provider with the same name and assign admins to this group so that they get administrator access to the Opti ID Admin Center.
  • When users are created using just-in-time (JIT) provisioning, they are added to the Everyone group. If the SSO provider provided any groups claims for the logged-in user, and groups with the same name exist in Opti ID, then users are added to user groups in Opti ID when they sign in.
    JIT provisioning lets you automatically create and update users when they log in through security assertion markup language (SAML) SSO or OpenID Connect (OIDC) SSO to Opti ID. It allows new users automatic access to authorized applications, without the need for manual provisioning. This reduces administrative workload and increases productivity.
  • The user creation process for JIT provisioning happens regardless of the groups claim, so even if the groups claim is missing or has groups not found in Opti ID, the user is still created and added to the Everyone group.
  • When you add a user in the upstream SSO provider, if Opti ID receives any groups as claims at the time of login and these groups exist in Opti ID with the same name, Opti ID adds the user (if not already present) along with the groups.
  • When you update a user in the upstream SSO provider (for example, add groups to the user), and Opti ID receives these groups as claims at the time of login, Opti ID adds the user to those groups, provided groups with the same name exist in Opti ID.
  • The sync from your SSO provider to Opti ID only adds groups (or users to groups). If you remove a group (or a user from a group) in your SSO provider, you must manually remove that group (or user from that group) in Opti ID.
  • If you change the name of a group in Opti ID, you must make the same changes in your SSO provider. Similarly, if you change the name of the group in your SSO provider, you must make the same changes in Opti ID. Otherwise, any group membership changes you make in the SSO provider will not be reflected in Opti ID.

Create groups in the SSO provider

Set up group sync in Microsoft Entra ID

You should review some initial considerations for using Microsoft Entra ID. The feature availability is based on the current Entra ID SKU noted below. For Application groups functionality, the Entra ID instance must be a premium SKU. If you do not have access to the premium SKU, you can use alternative methods to provide group information in the claims while logging into Opti ID by assigning individual users to the application.

  1. In Entra ID, go to the enterprise application you set up for SSO.
  2. Click Single sign-on > Edit in the Attributes & Claims section.

  3. Click Add a group claim.

  4. On the Group Claims page, select the desired groups to be returned in the claim, such as Groups assigned to the application.
  5. Expand the Source attribute drop-down list and select which attribute that will have the group name in it.
    The Source attribute value must match the group name in Opti ID for the mapping to work.
    • Microsoft Entra ID-based customers – Select Cloud-only group display names.
    • On-premises customers – Select sAMAccountName, having that attribute configured correctly in Active Directory.
  6. (Optional) Set the Filter groups section in Advanced options, based on your organization's requirements, to send only the groups you want to sync with Opti ID.
  7. Customize the name of the group claim with Groups as the Name and no Namespace. The other check boxes can remain unselected.

The SSO provider sends the group IDs in an array, which Opti ID receives and adds the users to the appropriate groups when they sign in.

Set up group sync in Okta

Create groups with names that mirror the Opti ID group names to sync.

Go to your Admin panel in Okta and select Directory > Groups > Add group.
Once you add the groups you want to sync, you can assign users to the groups.

Assign users to groups in the SSO provider

Assign users to groups in Entra ID

  1. In the Azure portal, go to Microsoft Entra ID > Groups.
  2. Select the group you want to manage.
  3. Select either Members or Owners.
  4. Click Add (members or owners).
  5. Search for and select the users you want to add (you can select multiple users at one time).
  6. Click Select.
  7. The Group Overview page updates to show the number of members or owners you added to the group.

Assign users to groups in Okta

  1. In the Okta Admin panel, go to Directory > Groups.
  2. Search for and select a group.
  3. Search for the name of the user you want to add.
  4. Click Assign to assign the user to the group.
  5. Click Done.

After you assign users to the groups, add the groups claim to the SAML application for groups assertion.

Set up Groups claim in SAML application

  1. Select the General Settings tab and click Edit in the SAML settings group.
  2. Click Next.
  3. In the Configure SAML section, go to the Group Attribute Statements section and change the filter criteria to only send the groups you want to sync with Opti ID.
    SSO-sync-4.png
  4. Click Next and save the updated application settings.

Create groups in Opti ID Admin Center

  1. Log in to Opti ID and go to the Opti ID Admin Center.
  2. Go to User Manager > Groups.
  3. Click Add Group to create a group with the same name as the one you created in your SSO provider. This syncs the group from your SSO provider to the user the next time time they log in using Opti ID.

This group name must exactly match the group name you send from your SSO provider. Your SSO provider configures this value, so you may need to edit the group name later to match the name your SSO provider sends. For example, in some Entra ID SKUs and situations, the best value to send is the Group ID. In this case, you should make the group name in Opti ID the GUID of the Entra ID Group ID.

Opti ID has Everyone and Admin Center Administrators groups available by default. All users remain in Everyone, regardless of what groups the SSO provider sends. If you create an Admin Center Administrators group in your SSO provider, you can sync those users to the corresponding group in Opti ID.

Set up Roles and Groups

Set up roles and groups in Opti Id inside Admin Center. See the following topics.

Events when groups sync to Opti ID

Initial login

When a user logs in for the first time to Opti ID, group claims in the token, if any, are matched with groups in Opti ID (by group name for your organization). These groups are then assigned to the user at the time of their first successful login.

You must have domain-based routing set up for successful group assignment at the time of initial login.

If you have domain-based routing set on your identity provider (IdP), you can create JIT users in Opti ID. You can also add users to your organization explicitly in the Opti ID Admin Center.

In either case, if any matching groups are found, they are assigned to the user upon successful login.

Subsequent logins

In case of subsequent logins by a user through your IdP, any new groups assigned to the user since their previous login get assigned in Opti ID, provided matching groups with same name are found in Opti ID.

If you removed a user from a group in your SSO provider, subsequent logins by that user do not remove them from that group in Opti ID. You must manually remove the user from the group in Opti ID.

After you complete the steps in this article to sync your SSO groups, you can still explicitly assign the Opti ID groups (corresponding to your SSO groups that are set up in Opti ID) to the users in your organization in the Opti ID Admin Center.