SSO Group Mapping allows you to maps groups in your internal user directory to regular User Groups in Frontify. As a result, you can ensure that SSO users that belong to internal groups in your directory will belong to respective User Groups in Frontify.

For example, a user in the Marketing department might belong to the Identity Provider user group marketing. You can then create a group in Frontify called, for example, "Marketing Department" and use SSO Group Mapping to specify that you only want users from the Identity Provider user group marketing to belong to this group. When a user from this user group logs in to Frontify, they will automatically be added to the Marketing Department User Group and have access to all the projects that the group has access to.

Below are the steps to set this up:

Step 1. Add User.Groups attribute to your SSO configuration

For the group mapping to work, you ( or your IT team) need to add an additional attribute to the existing Single Sign-On configuration on your end. The attribute is "User.Groups" (please note the spelling and capital letters).

This attribute needs to be added on your end same as the general SSO setup attributes ( User. email, User.FirstName, User.LastName)


Here are some examples of how it can look on your end:

Okta:

OneLogin:


Here is an example of all attributes Frontify needs to map the group information that is being sent when the user is logging in with SSO. When you are testing, Frontify Support is able to see what information is sent when the user is logging in. This is an expected outcome:

{
"User.email":"max.muster@frontify.com",
"User.FirstName":"Max",
"User.LastName":"Muster",
"User.Groups":["marketing"]
}

You can see that that mapping User Groups value for this user is "marketing" - this comes from your Identity Provider. This is the value that needs to be added in the mapping details in the User Group settings in Frontify in the next step.

If you are not familiar with SSO details - you’ll get the mapping information from your internal IT services. They can provide you with the available mapping information, e.g. business units, teams, working fields, or similar.


Step 2. Add Group information values in Frontify User Management

You need to be or contact the Account Admin. Go to the User Management Page, then the "Groups" tab.

You can either (1) create new User groups with your SSO mapping information or (2) edit the existing User Group and add the SSO mapping information.

1) Create User Group and add SSO mapping value:

2) or add SSO mapping value to an existing User Group in its settings. By clicking the settings gear icon at the end of the line, you can change the group name, or add the SSO information.


Multiple groups assignment per user

It’s also possible to send more than one group permission with a user login. This information is also comma-separated inside the request (sometimes semicolon-separated, as with OneLogin), between the apostrophes.

{
"User.email":"max.muster@frontify.com",
"User.FirstName":"Max",
"User.LastName":"Muster",
„User.Groups“:["marketing","hr","brandingteam"]
}

This means that this use will be able to belong to 3 different groups in Frontify at once.

NOTE: It is not possible to map multiple ( in this example, 3) groups from your user directory to one group in Frontify.


When testing SSO group mapping, you can reach out to support@frontify.com, and the Support team can monitor the logs to see what information is being sent and purpose potential troubleshooting

Appendix:

Single Sign On (SSO) - Fast and convenient login for employees
Access and User Management

Did this answer your question?