Table of contents
What is Group Mapping
SSO Group Mapping allows you to automatically assign users from your identity provider (IdP) to user groups in Frontify. This ensures seamless and consistent access control across your organization via SAML or OIDC Single Sign-On.
Requirements
A working SAML or OIDC configuration
Attribute
User.Groups
for SAML / scoperoleNames
(alternativegroups
orroles
) for OIDCAccount administrator access to Frontify's access management
Setup for SAML
Step 1. Add User.Groups attribute to SSO attributes
Make sure your IdP sends the User.Groups
attribute, just like User.email
, User.FirstName
, and User.LastName
.
Example payload:
{
"User.email": "max.muster@frontify.com",
"User.FirstName": "Max",
"User.LastName": "Muster",
"User.Groups": ["marketing"]
}
This adds the user to the "marketing" group in Frontify, assuming the group has been set up and mapped.
If you use OneLogin, Okta, or a similar IdP, consult their documentation for instructions on mapping custom attributes.
Step 2: Map Group Values in Frontify
Go to Access Management > Groups
Create or edit a group
Click Settings via the 3-dots menu
Add the exact
User.Groups
value (e.g.,marketing
) to the SSO group mapping field
Step 3: Test Mapping
Have a test user log in via SSO
If mapped correctly, they will appear in the assigned Frontify user group
Need help? Contact support@frontify.com β we can inspect login logs if needed.
Multiple groups assignment
Users can belong to multiple groups:
{
"User.email":"max.muster@frontify.com",
"User.FirstName":"Max",
"User.LastName":"Muster",
"User.Groups":["marketing","hr","brandingteam"]
}
They'll be added to all matching Frontify groups.
Note: You can't map multiple IdP groups to a single Frontify group.
MS Entra ID Special Case:
Entra doesn't send groups as an array by default. Instead, it uses multiple attributes. Please coordinate with your IT team to send group data as a single User.Groups
array.
Setup for OpenID Connect (OIDC)
OIDC group mapping works similarly to SAML, using role-based scopes in the token payload.
Include the roleNames
scope (or equivalent) along with:
openid
profile
email
Example payload:
Roles from token payload: "marketing", "design"
Add these values to the SSO Group Mapping field in Frontify.
Testing & Troubleshooting
If you're having trouble with group mapping, contact support@frontify.com. We can inspect login logs to see what information is being sent and identify issues.
Limitations
Group removal is not automatic. If a user is removed from a group in your IdP, the account administrator must also manually remove them in Frontify.
Appendix: