Synchronize groups with your SSO provider

  • Updated

Opti ID lets you add users to existing groups within Opti ID when they sign in. To do this, your organization must have single sign-on (SSO) within Opti ID, and the SSO provider must send a groups claim with their assertion:

  • This claim must be a string array. The string values must be the names of the groups as represented in Opti ID.
  • Groups must reside in the same organization that the SSO provider exists in, which must be the user's home organization (where they were created).
  • Everyone and Admin Center Administrators groups are noneditable.
    • Everyone – Reflects everyone in your organization. User membership to the Everyone group is not affected by any groups sent by your SSO provider.
    • Admin Center Administrators – Reflects administrators of the Opti ID Admin Center. You must create this group in your SSO provider with the same name and assign admins to this group so that they get administrator access to the Opti ID Admin Center.
  • When created, Just In Time (JIT) users are added to the Everyone group. If the SSO provider gave any groups claims, and groups with the same name exists in Opti ID, then users are added to user groups in Opti ID when they sign in.
  • The JIT user creation process happens regardless of the groups claim, so even if the groups claim is missing or has groups not found in Opti ID, the user is still created.
  • When updated, if groups with the same name exist in Opti ID, users are added.
  • The sync from your SSO provider to Opti ID only adds groups (or users to groups). If you remove a group (or a user from a group) in your SSO provider, you must manually remove that group (or user from that group) in Opti ID.
  • If you change the name of a group in Opti ID, you must make the same changes in your SSO provider.

Create groups in the SSO provider

Set up synchronization in Azure AD

You should review some initial considerations for using Azure AD (AAD). The feature availability is based on the current AAD SKU noted below. For Application groups functionality, the AAD instance must be a premium SKU. If you do not have access to the premium SKU, you can use alternative methods to provide group information in the claims while logging into Opti ID by assigning individual users to the application.

  1. In AAD, go to the enterprise application you set up for SSO.
  2. Click Single sign-on > Edit in the Attributes & Claims section.

  3. Click Add a group claim.

  4. On the Group Claims page, select Groups assigned to the application.
  5. Expand the Source attribute drop-down list and select Cloud-only group display names.

    The Source attribute value must match the group name in Opti ID for the mapping to work.
  6. (Optional) Set the Filter groups section in Advanced options, based on your organization's requirements, to send only the groups you want to synchronize with Opti ID.
  7. Customize the name of the group claim with Groups as the Name and no Namespace. The other checkboxes can remain cleared.

The SSO provider sends the group IDs in an array, which Opti ID receives and adds the users to the appropriate groups when they sign in.

Set up synchronization in Okta

Create groups with names that mirror the Opti ID group names to synchronize.

Go to your Admin panel in Okta and select Directory > Groups > Add group.
Once you add the groups you want to synchronize, you can assign users to the groups.

Assign users to groups in the SSO provider

Assign users to groups in AAD

  1. In the Azure portal, go to Azure Active Directory > Groups.
  2. Select the group you want to manage.
  3. Select either Members or Owners.
  4. Click Add (members or owners).
  5. Search for and select the users you want to add (you can select multiple users at one time).
  6. Click Select.
  7. The Group Overview page updates to show the number of members or owners you added to the group.

Assign users to groups in Okta

  1. In the Okta Admin panel, go to Directory > Groups.
  2. Search for and select a group.
  3. Search for the name of the user you want to add.
  4. Click Assign to assign the user to the group.
  5. Click Done.

After you assign users to the groups, add the groups claim to the SAML application for groups assertion.

Set up Groups claim in SAML application

  1. Select the General Settings tab and click Edit in the SAML settings group.
  2. Click Next.
  3. In the Configure SAML section, go to the Group Attribute Statements section and change the filter criteria to only send the groups you want to synchronize with Opti ID.
    SSO-sync-4.png
  4. Click Next and save the updated application settings.

Create groups in Opti ID Admin Center

  1. Log in to Opti ID and go to the Opti ID Admin Center.
  2. Go to User Manager > Groups.
  3. Click Add Group to create a group with the same name as the one you created in your SSO provider. This syncs the group from your SSO provider to the user the next time time they log in using Opti ID.

This group name must exactly match the group name you send from your SSO provider. Your SSO provider configures this value, so you may need to edit the group name later to match the name your SSO provider sends. For example, in some Azure AD SKUs and situations, the best value to send is the Group ID. In this case, you should make the group name in Opti ID the GUID of the Azure AD Group ID.

Opti ID has Everyone and Admin Center Administrators groups available by default. All users remain in Everyone, regardless of what groups the SSO provider sends. If you create an Admin Center Administrators group in your SSO provider, you can synchronize those users to the corresponding group in Opti ID.

How groups sync to Opti ID

Initial login

When a user logs in for the first time to Opti ID, group claims in the token, if any, are matched with groups in Opti ID (by group name for your organization). These groups are then assigned to the user at the time of their first successful login.

You must have domain-based routing set up for successful group assignment at the time of initial login.

If you have domain-based routing set on your identity provider (IdP), you can create JIT users in Opti ID. You can also add users to your organization explicitly in the Opti ID Admin Center.

In either case, if any matching groups are found, they are assigned to the user upon successful login.

Subsequent logins

In case of subsequent logins by a user through your IdP, any new groups assigned to the user since their previous login get assigned in Opti ID, provided matching groups with same name are found in Opti ID.

If you removed a user from a group in your SSO provider, subsequent logins by that user do not remove them from that group in Opti ID. You must manually remove the user from the group in Opti ID.

After you complete the steps in this article to synchronize your SSO groups, you can still explicitly assign the Opti ID groups (corresponding to your SSO groups that are set up in Opti ID) to the users in your organization in the Opti ID Admin Center.