SSO Group Mapping allows you to map groups in your internal user directory to regular User Groups in Frontify. As a result, you can ensure that SSO users that belong to internal groups in your directory will belong to respective User Groups in Frontify.
For example, a user in the Marketing department might belong to the Identity Provider user group marketing. You can create a group in Frontify called, for example, "Marketing Department" and use SSO Group Mapping to specify that you only want users from the Identity Provider user group marketing to belong to this group.
When a user from this user group logs in to Frontify, they will automatically be added to the Marketing Department User Group and have access to all the projects to which the group has access.
Below are the steps to set this up:
Step 1. Add User.Groups attribute to your SSO configuration
For the group mapping to work, you ( or your IT team) need to add an additional attribute to the existing Single Sign-On configuration on your end. The attribute is "User.Groups" (please note the spelling and capital letters).
You need to add this attribute on your end, same as the general SSO setup attributes ( User. email, User.FirstName, User.LastName)
Here are some examples of how it can look on your end:
Okta:
OneLogin:
Here is an example of all attributes Frontify needs to map the group information sent when the user logs in with SSO. When you are testing, Frontify Support can see what information is sent when the user is logging in.
This is an expected outcome:
{
"User.email":"max.muster@frontify.com",
"User.FirstName":"Max",
"User.LastName":"Muster",
"User.Groups":["marketing"]
}
You can see that mapping User Groups value for this user is "marketing" - this comes from your Identity Provider. That is the value that needs to be added to the mapping details in the User Group settings in Frontify in the next step.
If you are unfamiliar with SSO details - you’ll get the mapping information from your internal IT services. They can provide you with the available mapping information, e.g., business units, teams, working fields, or similar.
Step 2. Add Group information values in Frontify User Management
You need to be or contact the Account Admin. Go to the User Management Page, then the "Groups" tab.
You can either:
(1) create new User groups with your SSO mapping information or,
(2) edit the existing User Group and add the SSO mapping information.
1) create new User groups with your SSO mapping information:
2) edit the existing User Group and add the SSO mapping information:
By clicking the settings gear icon at the end of the line, you can change the group name or add the SSO information.
Multiple groups assignment per user
It’s also possible to send more than one group permission with a user login. This information is also comma-separated inside the request (sometimes semicolon-separated, as with OneLogin) between the apostrophes.
{
"User.email":"max.muster@frontify.com",
"User.FirstName":"Max",
"User.LastName":"Muster",
„User.Groups“:["marketing","hr","brandingteam"]
}This script means that this use will be able to belong to 3 different groups in Frontify at once.
NOTE: It is not possible to map multiple (in this example, 3) groups from your user directory to one group in Frontify.
When testing SSO group mapping, you can reach out to support@frontify.com, and the Support team can monitor the logs to see what information is being sent and the purpose of potential troubleshooting.
Please note that group mapping is possible for SAML connections, not for OIDC setups.
Furthermore, when an employee changes groups, the Frontify account administrator must manually remove the user from the group that is no longer valid.
Appendix: