Table of contents
What is Group Mapping
SSO Group Mapping allows you to automatically assign users from your identity provider (IdP) to user groups in Frontify. This ensures seamless and consistent access control across your organization via SAML or OIDC Single Sign-On.
For full automation, Frontify supports SCIM-based group synchronization.
This feature ensures user group memberships are continuously updated based on your Identity Provider (IdP), adding or removing users automatically to keep access perfectly aligned.
Itโs enabled by default for new configurations but can be customized to add-only mode if you prefer not to automatically remove users.
Requirements
A working SAML or OIDC configuration
Attribute
User.Groupsfor SAML / scoperoleNames(alternativegroupsorroles) for OIDCAccount administrator access to Frontify's access management
Setup for SAML
Step 1. Add User.Groups attribute to SSO attributes
Make sure your IdP sends the User.Groups attribute, just like User.email, User.FirstName, and User.LastName.
Example payload:
{
"User.email": "max.muster@frontify.com",
"User.FirstName": "Max",
"User.LastName": "Muster",
"User.Groups": ["marketing"]
}This adds the user to the "marketing" group in Frontify, assuming the group has been set up and mapped.
If you use OneLogin, Okta, or a similar IdP, consult their documentation for instructions on mapping custom attributes.
Step 2: Map Group Values in Frontify
Go to Access Management > Groups
Create or edit a group
Click Settings via the 3-dots menu
Add the exact
User.Groupsvalue (e.g.,marketing) to the SSO group mapping field
Group mapping in SSO is handled in a case-insensitive manner. This means that group names are treated the same regardless of whether they contain uppercase or lowercase letters. This approach follows common industry standards to ensure better interoperability across systems and reduce potential mapping errors.
Step 3: Test Mapping
Have a test user log in via SSO
If mapped correctly, they will appear in the assigned Frontify user group
Need help? Contact support@frontify.com โ we can inspect login logs if needed.
Multiple groups assignment
Users can belong to multiple groups:
{
"User.email":"max.muster@frontify.com",
"User.FirstName":"Max",
"User.LastName":"Muster",
"User.Groups":["marketing","hr","brandingteam"]
}They'll be added to all matching Frontify groups.
Note: You can't map multiple IdP groups to a single Frontify group.
MS Entra ID Special Case:
Entra doesn't send groups as an array by default. Instead, it uses multiple attributes. Please coordinate with your IT team to send group data as a single User.Groups array.
Setup for OpenID Connect (OIDC)
OIDC group mapping works similarly to SAML, using role-based scopes in the token payload.
Include the roleNames scope (or equivalent) along with:
openidprofileemail
Example payload:
Roles from token payload: "marketing", "design"
Add these values to the SSO Group Mapping field in Frontify.
Testing & Troubleshooting
If you're having trouble with group mapping, contact support@frontify.com. We can inspect login logs to see what information is being sent and identify issues.
Limitations (Legacy Behavior)
In older configurations without SCIM-based synchronization, group removal is not automatic.
If a user is removed from a group in your Identity Provider (IdP), the account administrator must manually remove them in Frontify.
We recommend updating to the SCIM-based group synchronization setup to benefit from fully automated group lifecycle management.
Existing SAML or OIDC configurations can easily be upgraded to support SCIM-based group sync.
Contact your Frontify Customer Support for assistance.
Appendix: