Skip to main content

SSO User Groups mapping

Map identity provider groups to Frontify User Groups to automate user access via SSO.

Updated yesterday

Table of contents

What is Group Mapping?

SSO Group Mapping allows Frontify to assign users to Frontify groups based on group information from your Identity Provider (IdP) when users log in via SAML or OIDC Single Sign-On.

Your Identity Provider (IdP) is the system your organization uses to manage employee logins and access to applications โ€” for example Okta, Microsoft Entra ID (Azure AD), or Google Workspace.

When a user logs in to Frontify through SSO, the IdP sends information about that user, including which groups they belong to. Frontify can use that information to automatically assign the user to the appropriate Frontify groups.

How Group Mapping Works

Group mapping is evaluated each time a user logs in to Frontify via SSO.

During login, Frontify checks the userโ€™s group information from the IdP and applies any configured mappings:

  • Users are added to mapped Frontify groups if they belong to the corresponding IdP group.

  • Users are removed from mapped Frontify groups if they are no longer part of that IdP group.

These updates occur only at the time of login.

Important Limitations

Frontify does not support SCIM provisioning or continuous group synchronization.

Group membership updates happen only when a user authenticates via SSO.

This means:

  • Changes made in the IdP do not update Frontify immediately

  • Users must log in again for group membership changes to take effect

  • There is no automatic background sync of groups or users

If access needs to be updated before the user logs in again, an administrator can manually adjust group membership in Frontify.

Previous Behavior

Previously, group mapping only added users to groups during login.

If a user was removed from a group in the IdP, they remained in the corresponding Frontify group until an administrator updated it manually.

Frontify now updates both additions and removals during login, helping keep group membership aligned with IdP groups whenever users authenticate.

Requirements

  • A working SAML or OIDC configuration

  • Attribute User.Groups for SAML / scope roleNames (alternative groups or roles) for OIDC

  • Account administrator access to Frontify's access management

Setup for SAML

Step 1. Add User.Groups attribute to SSO attributes

Make sure your IdP sends the User.Groups attribute, just like User.email, User.FirstName, and User.LastName.

Example payload:

{
  "User.email": "max.muster@frontify.com",
  "User.FirstName": "Max",
  "User.LastName": "Muster",
  "User.Groups": ["marketing"]
}

This adds the user to the "marketing" group in Frontify, assuming the group has been set up and mapped.

If you use OneLogin, Okta, or a similar IdP, consult their documentation for instructions on mapping custom attributes.

Step 2: Map Group Values in Frontify

  1. Go to Access Management > Groups

  2. Create or edit a group

  3. Click Settings via the 3-dots menu

  4. Add the exact User.Groups value (e.g., marketing) to the SSO group mapping field

Group mapping in SSO is handled in a case-insensitive manner. This means that group names are treated the same regardless of whether they contain uppercase or lowercase letters. This approach follows common industry standards to ensure better interoperability across systems and reduce potential mapping errors.
โ€‹
However, while matching is case-insensitive, the value itself must match exactly what is sent by the IdP (whether that is a group name or a unique group ID).

Step 3: Test Mapping

  • Have a test user log in via SSO

  • If mapped correctly, they will appear in the assigned Frontify user group

Need help? Contact support@frontify.com โ€” we can inspect login logs if needed.

Multiple groups assignment

Users can belong to multiple groups:

{
"User.email":"max.muster@frontify.com",
"User.FirstName":"Max",
"User.LastName":"Muster",
"User.Groups":["marketing","hr","brandingteam"]
}

They'll be added to all matching Frontify groups.

Note: You can't map multiple IdP groups to a single Frontify group.

MS Entra ID Special Case:

Microsoft Entra ID may send groups as unique Object IDs (GUIDs) instead of group display names. If this is the case, you must use the Object ID values in the SSO group mapping field (not the group names).

Additionally, Entra does not send groups as an array by default. Instead, it may use multiple attributes. Please coordinate with your IT team to ensure group data is sent as a single User.Groups array.

Setup for OpenID Connect (OIDC)

OIDC group mapping works similarly to SAML, using role-based scopes in the token payload.

Include the roleNames scope (or equivalent) along with:

  • openid

  • profile

  • email

Example payload:

Roles from token payload: "marketing", "design"

Add these values to the SSO Group Mapping field in Frontify.

Testing & Troubleshooting

If you're having trouble with group mapping, contact support@frontify.com. We can inspect login logs to see what information is being sent and identify issues.

Limitations (Legacy Behavior)

In older configurations without SCIM-based synchronization, group removal is not automatic.
If a user is removed from a group in your Identity Provider (IdP), the account administrator must manually remove them in Frontify.

We recommend updating to the SCIM-based group synchronization setup to benefit from fully automated group lifecycle management.
Existing SAML or OIDC configurations can easily be upgraded to support SCIM-based group sync.

Appendix:

Related Articles
SSO - Fast and Convenient Login for Employees
User Access Management
SSO: Frequently Asked Questions (FAQ)
Managing Access & Permissions with SSO
SSO - Microsoft Entra (Azure AD) Configuration Example
Did this answer your question?