After your IT team and Frontify Support have set up Single Sign On (SSO) access, the next step is to set up permissions for SSO users. There are 3 ways to manage SSO user permissions:
Identity Provider application access & limitations
User Groups with SSO (group mapping)
1. Identity Provider application access & limitations
Limiting access to Frontify can be done from your company's Identity Provider (IdP). This is done using user groups in the Identity Provider. For example, users in the Marketing department might be in the user group 'marketing' and those in Sales in the 'sales' user group.
SSO setup connects your Identity Provider to Frontify. This way all employees in the Identity Provider can log in to Frontify with their SSO credentials and without having to be invited. Your IT department can limit access, however, and only allow certain user groups to log in to Frontify with SAML or OpenID Connect, instead everyone in your company. For example, the user group 'engineering' might not have access, while 'design' would be granted access.
Note: The Frontify user list will not pull in all Identity Provider users automatically. Users will only appear on the Frontify usage page after they have logged in for the first time.
2. Frontify Smart Groups
You are probably already familiar with Frontify User Groups. Individual users are manually added to these groups.
With Smart Groups, users are automatically included in the groups. Frontify Support and your Customer Success Manager must help you set up Smart Groups.
Smart Groups automatically include users based on certain selected filters that make the most sense for your Frontify environment. These include:
Email address (include/exclude specific email domains)
Last login mode (Single Sign On or username/password)
Sign-up mode (through Single Sign On or by invitation)
After setup of your SSO, you can use Smart Groups to give all SSO users access to a project(s) within Frontify. This way, if a new user logs in via SSO (vs. invite), they will not see an empty Frontify dashboard, but, for example, your company's main Style Guide.
Learn more about Smart Groups here
3. User Groups with SSO: Your Identity Provider + Frontify
A third option for managing SSO users is to pair your company's Identity Provider user groups with Frontify groups to map Identity Provider user groups to Frontify groups.
With group mapping, you tell your Identity Provider to include users in a specific user group in a Frontify user group.
For example, a user in the Marketing department might belong to the Identity Provider user group marketing. You can then create a group in Frontify called, for example, "Marketing" and use SSO Group Mapping to specify that you only want users from the Identity Provider user group marketing to belong to this group. When a user from this user group logs in to Frontify, they will automatically be added to the Marketing group and have access to all the projects that group has access to.
Note that after you have mapped Identity Provider user groups to Frontify users groups, users will only appear as part of that group only when they log in after the mapping has been done.