In Opti ID, user access to any entitled product is done using groups. For more information on groups in Opti ID, see Groups.
To ease the process of assigning users to groups, Opti ID lets you automatically add users to existing groups within Opti ID when they sign in. To enable this, you must configure the single sign-on (SSO) provider to send a groups claim with the assertion during user login.
Prerequisites
- Configure SSO for your Opti ID organization.
- Create groups in your identity provider (IdP) with names that mirror the Opti ID group names you want to sync.
Considerations
- The groups claim must be a string array. The string values must be the names of the groups as represented in Opti ID.
- The groups specified in the groups claim must already exist in the Opti ID organization that the SSO provider exists in.
- When users are created using just-in-time (JIT) provisioning, they are added to the Everyone group. If the SSO provider provided any groups claims for the logged-in user, and groups with the same name exist in Opti ID, then users are added to user groups in Opti ID when they sign in.
- The user creation process for JIT provisioning happens regardless of the groups claim, so even if the groups claim is missing or has groups not found in Opti ID, the user is still created and added to the Everyone group.
- When you add a user in the upstream SSO provider, if Opti ID receives any groups as claims at the time of login and these groups exist in Opti ID with the same name, Opti ID adds the user (if not already present) along with the groups.
- When you update a user in the upstream SSO provider (for example, add groups to the user), and Opti ID receives these groups as claims at the time of login, Opti ID adds the user to those groups, provided groups with the same name exist in Opti ID.
- The sync from your SSO provider to Opti ID only adds groups (or users to groups). If you remove a group (or a user from a group) in your SSO provider, you must manually remove that group (or user from that group) in Opti ID.
- If you change the name of a group in Opti ID, you must make the same changes in your SSO provider. Similarly, if you change the name of the group in your SSO provider, you must make the same changes in Opti ID. Otherwise, any group membership changes you make in the SSO provider will not be reflected in Opti ID.
Set up group sync in Okta
Create groups with names that mirror the Opti ID group names to sync.
Go to your Admin panel in Okta and select Directory > Groups > Add group.
After you add the groups you want to sync, you can assign users to the groups.
Assign users to groups in Okta
- In the Okta Admin panel, go to Directory > Groups.
- Search for and select a group.
- Search for the name of the user you want to add.
- Click Assign to assign the user to the group.
- Click Done.
After you assign users to the groups, add the groups claim to the SSO application for groups assertion.
Set up groups claim in SAML or OIDC app
SAML app
- In Okta, go to the enterprise application you set up for SSO.
- Select the General Settings tab and click Edit in the SAML settings group.
- Click Next.
- In the Configure SAML section, go to the Group Attribute Statements section and change the filter criteria to only send the groups you want to sync with Opti ID.
- Click Next and save the updated application settings.
OIDC app
- In Okta, go to Applications > Applications and select the OIDC client application that you want to configure.
- Go to the Sign On tab and click Edit in the OpenID Connect ID Token section.
- Select Filter or Expression for the Groups claim type.
- Leave the default name groups for the Group claims filter, and then add the appropriate filter. For example, select Matches regex and enter
.*
to return all of the user's groups. - Click Save.
Create groups in Opti ID Admin Center
- Go to Group Access > Groups in the Opti ID Admin Center.
- Click Add Group to create a group with the same name as the one you created in your SSO provider. This syncs the group from your SSO provider to the user the next time they log in using Opti ID.
This group name must exactly match the group name you send from your SSO provider. Your SSO provider configures this value, so you may need to edit the group name later to match the name your SSO provider sends. For example, in some situations, the best value to send is the IdP's Group ID. In this case, you should make the group name in Opti ID the GUID of the IdP's Group ID.
Opti ID has Everyone and Admin Center Administrators groups available by default. All users remain in Everyone, regardless of what groups the SSO provider sends. If you create an Admin Center Administrators group in your SSO provider, you can sync those users to the corresponding group in Opti ID.
Configure roles and groups
Configure roles and groups in the Opti ID Admin Center. See the following topics.
Events when groups sync to Opti ID
Initial login
When a user logs in for the first time to Opti ID, group claims in the token, if any, are matched with groups in Opti ID (by group name for your organization). These groups are then assigned to the user at the time of their first successful login.
If you have domain-based routing set on your IdP, you can create JIT users in Opti ID. You can also add users to your organization explicitly in the Opti ID Admin Center.
In either case, if any matching groups are found, they are assigned to the user upon successful login.
Subsequent logins
In case of subsequent logins by a user through your IdP, any new groups assigned to the user since their previous login get assigned in Opti ID, provided matching groups with same name are found in Opti ID.
After you complete the steps in this article to sync your SSO groups, you can still explicitly assign the Opti ID groups (corresponding to your SSO groups that are set up in Opti ID) to the users in your organization in the Opti ID Admin Center.
Article is closed for comments.