In Opti ID, user access to any entitled product is done using groups. For more information on groups in Opti ID, see Manage groups.
To ease the process of assigning users to groups, Opti ID lets you automatically add users to existing groups within Opti ID when they sign in. To enable this, you must configure the single sign-on (SSO) provider to send a groups claim with the assertion during user login.
Prerequisites
- Configure the SAML or OIDC SSO connection in your identity provider (IdP).
- Create groups in your IdP with names that mirror the Opti ID group names you want to sync.
Considerations
- The groups claim must be a string array. The string values must be the names of the groups as represented in Opti ID.
- The groups specified in the groups claim must already exist in the Opti ID organization that the SSO provider exists in.
- When users are created using just-in-time (JIT) provisioning, they are added to the Everyone group. If the SSO provider provided any groups claims for the logged-in user, and groups with the same name exist in Opti ID, then users are added to user groups in Opti ID when they sign in.
- The user creation process for JIT provisioning happens regardless of the groups claim, so even if the groups claim is missing or has groups not found in Opti ID, the user is still created and added to the Everyone group.
- When you add a user in the upstream SSO provider, if Opti ID receives any groups as claims at the time of login and these groups exist in Opti ID with the same name, Opti ID adds the user (if not already present) along with the groups.
- When you update a user in the upstream SSO provider (for example, add groups to the user), and Opti ID receives these groups as claims at the time of login, Opti ID adds the user to those groups, provided groups with the same name exist in Opti ID.
- The sync from your SSO provider to Opti ID only adds groups (or users to groups). If you remove a group (or a user from a group) in your SSO provider, you must manually remove that group (or user from that group) in Opti ID.
- If you change the name of a group in Opti ID, you must make the same changes in your SSO provider. Similarly, if you change the name of the group in your SSO provider, you must make the same changes in Opti ID. Otherwise, any group membership changes you make in the SSO provider will not be reflected in Opti ID.
Configure group sync in PingOne
Create groups
Create groups with names that mirror the Opti ID group names to sync.
To add groups in PingOne, go to Directory > Groups and click the plus (+) icon.
After you add the groups you want to sync, you can assign users to the groups.
Assign users to groups
- Go to Directory > Groups in PingOne.
- Search for and select a group.
- Go to Users > Edit Users.
- Select the users you want to assign to the group and click Save.
After you assign users to the groups, add the groups claim to the SSO application for groups assertion.
Configure groups claim
If your app uses SAML, follow the instructions in the SAML app section. If your app uses OIDC, follow the instructions in the OIDC app section.
SAML app
- Go to Applications > Applications in PingOne and select the SAML client application that you want to configure.
- Go to the Attribute Mappings tab and click Edit.
- Click Add, then add the following attribute (case-sensitive):
- Attribute – Groups
- PingOne Mapping – Group Names
OIDC app
- Go to Applications > Applications in PingOne and select the OIDC client application that you want to configure
- Go to the Attribute Mappings tab and click Edit.
- Click Add, then add the following attribute (case-sensitive):
- Attribute – groups
-
PingOne Mapping – Group Names
Create groups in Opti ID Admin Center
- Go to Group Access > Groups in the Opti ID Admin Center.
- Click Add Group to create a group with the same name as the one you created in your SSO provider. This syncs the group from your SSO provider to the user the next time they log in using Opti ID.
This group name must exactly match the group name you send from your SSO provider. Your SSO provider configures this value, so you may need to edit the group name later to match the name your SSO provider sends. For example, in some situations, the best value to send is the IdP's Group ID. In this case, you should make the group name in Opti ID the GUID of the IdP's Group ID.
Opti ID has Everyone and Admin Center Administrators groups available by default. All users remain in Everyone, regardless of what groups the SSO provider sends. If you create an Admin Center Administrators group in your SSO provider, you can sync those users to the corresponding group in Opti ID.
Configure roles and groups
Configure roles and groups in the Opti ID Admin Center. See the following topics.
Events when groups sync to Opti ID
Initial login
When a user logs in for the first time to Opti ID, group claims in the token, if any, are matched with groups in Opti ID (by group name for your organization). These groups are then assigned to the user at the time of their first successful login.
If you have domain-based routing set on your IdP, you can create JIT users in Opti ID. You can also add users to your organization explicitly in the Opti ID Admin Center.
In either case, if any matching groups are found, they are assigned to the user upon successful login.
Subsequent logins
In case of subsequent logins by a user through your IdP, any new groups assigned to the user since their previous login get assigned in Opti ID, provided matching groups with same name are found in Opti ID.
After you complete the steps in this article to sync your SSO groups, you can still explicitly assign the Opti ID groups (corresponding to your SSO groups that are set up in Opti ID) to the users in your organization in the Opti ID Admin Center.
Article is closed for comments.