Skip to main content

SSO User Groups mapping

Map identity provider groups to Frontify User Groups to automate user access via SSO.

Updated over a week ago

Table of contents


What is Group Mapping

SSO Group Mapping allows you to automatically assign users from your identity provider (IdP) to user groups in Frontify. This ensures seamless and consistent access control across your organization via SAML or OIDC Single Sign-On.


Requirements

  • A working SAML or OIDC configuration

  • Attribute User.Groups for SAML / scope roleNames (alternative groups or roles) for OIDC

  • Account administrator access to Frontify's access management


Setup for SAML

Step 1. Add User.Groups attribute to SSO attributes

Make sure your IdP sends the User.Groups attribute, just like User.email, User.FirstName, and User.LastName.

Example payload:

{
"User.email": "max.muster@frontify.com",
"User.FirstName": "Max",
"User.LastName": "Muster",
"User.Groups": ["marketing"]
}

This adds the user to the "marketing" group in Frontify, assuming the group has been set up and mapped.

If you use OneLogin, Okta, or a similar IdP, consult their documentation for instructions on mapping custom attributes.

Step 2: Map Group Values in Frontify

  1. Go to Access Management > Groups

  2. Create or edit a group

  3. Click Settings via the 3-dots menu

  4. Add the exact User.Groups value (e.g., marketing) to the SSO group mapping field

Step 3: Test Mapping

  • Have a test user log in via SSO

  • If mapped correctly, they will appear in the assigned Frontify user group

Need help? Contact support@frontify.com β€” we can inspect login logs if needed.


Multiple groups assignment

Users can belong to multiple groups:

{
"User.email":"max.muster@frontify.com",
"User.FirstName":"Max",
"User.LastName":"Muster",
"User.Groups":["marketing","hr","brandingteam"]
}

They'll be added to all matching Frontify groups.

Note: You can't map multiple IdP groups to a single Frontify group.

MS Entra ID Special Case:

Entra doesn't send groups as an array by default. Instead, it uses multiple attributes. Please coordinate with your IT team to send group data as a single User.Groups array.


Setup for OpenID Connect (OIDC)

OIDC group mapping works similarly to SAML, using role-based scopes in the token payload.

Include the roleNames scope (or equivalent) along with:

  • openid

  • profile

  • email

Example payload:

Roles from token payload: "marketing", "design"

Add these values to the SSO Group Mapping field in Frontify.


Testing & Troubleshooting

If you're having trouble with group mapping, contact support@frontify.com. We can inspect login logs to see what information is being sent and identify issues.


Limitations

Group removal is not automatic. If a user is removed from a group in your IdP, the account administrator must also manually remove them in Frontify.


Appendix:

Did this answer your question?