SAML SSO
SSO Group Mapping allows you to map groups in your internal user directory to regular User Groups in Frontify. As a result, you can ensure that SSO users that belong to internal groups in your directory will belong to respective User Groups in Frontify.
For example, a user in the Marketing department might belong to the Identity Provider user group marketing. You can create a group in Frontify called, for example, "Marketing Department" and use SSO Group Mapping to specify that you only want users from the Identity Provider user group marketing to belong to this group.
When a user from this user group logs in to Frontify, they will automatically be added to the Marketing Department User Group and have access to all the projects to which the group has access.
Below are the steps to set this up:
Step 1. Add User.Groups attribute to your SSO configuration
For the group mapping to work, you ( or your IT team) need to add an additional attribute to the existing Single Sign-On configuration on your end. The attribute is "User.Groups" (please note the spelling and capital letters).
You need to add this attribute on your end, same as the general SSO setup attributes ( User. email, User.FirstName, User.LastName)
Here are some examples of how it can look on your end:
Okta:
OneLogin:
Here is an example of all attributes Frontify needs to map the group information sent when the user logs in with SSO. When you are testing, Frontify Support can see what information is sent when the user is logging in.
This is an expected outcome:
{
"User.email":"max.muster@frontify.com",
"User.FirstName":"Max",
"User.LastName":"Muster",
"User.Groups":["marketing"]
}
You can see that mapping User Groups value for this user is "marketing" - this comes from your Identity Provider. That is the value that needs to be added to the mapping details in the User Group settings in Frontify in the next step.
If you are unfamiliar with SSO details - you’ll get the mapping information from your internal IT services. They can provide you with the available mapping information, e.g., business units, teams, working fields, or similar.
Step 2. Add Group information values in Frontify User Management
You need to be or contact the Account Admin. Go to the User Management Page, then the "Groups" tab.
You can either:
(1) create new User groups with your SSO mapping information or,
(2) edit the existing User Group and add the SSO mapping information.
1) create new User groups with your SSO mapping information:
2) edit the existing User Group and add the SSO mapping information:
By clicking the settings gear icon at the end of the line, you can change the group name or add the SSO information.
Multiple groups assignment per user
It’s also possible to send more than one group permission with a user login. This information is also comma-separated inside the request (sometimes semicolon-separated, as with OneLogin) between the apostrophes.
{
"User.email":"max.muster@frontify.com",
"User.FirstName":"Max",
"User.LastName":"Muster",
„User.Groups“:["marketing","hr","brandingteam"]
}
This script means that this use will be able to belong to 3 different groups in Frontify at once.
NOTE: It is not possible to map multiple (in this example, 3) groups from your user directory to one group in Frontify.
Step 3. Test that SSO users are mapping to Frontify groups
You can test if your mapping is working by following these steps.
Set up a Frontify group with the SSO group name in the Frontify group "SSO group mapping" settings field (Admins must set this up)
Have a user log in via SSO who is in that group
If they show up in that Frontify group, they have mapped!
If you are struggling to get group mapping to function, you can reach out to support@frontify.com, and the Customer Support team can monitor the logs to see what information is being sent and the purpose of potential troubleshooting.
Please note: when an employee changes company directory groups, the Frontify account administrator must manually remove the user from the Frontify group that is no longer valid - they will not automatically be mapped "away" from that group.
OpenID Connect (OIDC) SSO
We use the same method to map groups as we do with SAML.
This means that depending on the identity provider, we need to have the correct scope set in the configuration. By default we expect the scope roleNames which is an addition to the required scopes (openid profile email). The value sent within roleNames needs to be added to the SSO mapping information within Frontify.
If you are struggling to get group mapping to function, you can reach out to support@frontify.com, and the Customer Support team can monitor the logs to see what information is being sent and the purpose of potential troubleshooting.
Furthermore, when an employee changes groups, the Frontify account administrator must manually remove the user from the group that is no longer valid.
Appendix: