search

SSO user attribute mapping (Okta version)

hashtag
Distinguishing user attribute mapping vs group attribute mapping

When mapping attributes between a SAML app and Alli, 'user attributes' that are assigned 1:1 to individual users and 'group attributes' that apply to multiple users belonging to a group differ in how they are configured and applied.

  • User attribute mapping is a method where information independently assigned to each user—such as name, phone number, department—is received by Alli as variables and used. In this case department values such as are mapped 1:1 to Alli's GROUP variable so that Alli groups can be configured based on individual user attributes.

  • Group attribute mapping is a method that, based on pre-defined group units within the app (e.g., Product_team, Engineer_team, etc.), connects multiple users belonging to that group collectively to Alli groups.

For example, department If you map a field to a user variable, the department value set in each user's attribute will be set as that user's Alli group. On the other hand, if users are grouped within the app and that group information is delivered via group fields, the group-level information will be used to configure Alli groups.

Please accurately distinguish between user attributes and group attributes and proceed with mapping according to the configuration purpose.

hashtag
Detailed attribute mapping settings (Attribute Mapping)

Here we will explain how to configure attribute mapping between Alli and the Google directory within a SAML app.

Basics

  • EAML is mapped automatically, so no separate configuration is required.

  • Alli supports the following user scope variables:

    • FIRST_NAME

    • LAST_NAME

    • GROUP

    • Common variables such as PHONE_NUM

  • The following variables are not supported.

    • FILE

    • CATEGORY

    • DOCUMENTS

    • SNIPPETS

hashtag
User variable mapping

App > General > SAML Settings > Edit > Configure SAML tab

Select the Attribute Statements tab

  1. Enter the appropriate values so that an Alli variable can be selected for NAME and an Okta field can be selected for Value.

  2. Here, as an example, we selected the fields corresponding to First name and Last name and mapped them to match Alli's variable names.

Each user variable name can be checked in Alli Dashboard > Settings > Variables tab.

hashtag
User group mapping

App > General > SAML Settings > Edit > Configure SAML tab

Select the Attribute Statements tab

  1. In Alli, departmentis GROUPtreated as a variable, so you must enter GROUPin the Name of Attribute Statements.

  2. Enter the field name corresponding to the department in the app in the Value.

You must follow the rules below.

Writing rules

  1. Prefix with user.afterwards.

  2. Then enter the lowercase version of the User Attribute name.

For example, in that app, divisionis an attribute that acts as a group (department), so enter it as follows:

  • This SAML app has a total of 3 department types:

    • Engineering Division

    • Product Team

    • Sales Team

  • Note that the above department information must also be registered identically in Alli for group mapping to be possible.

Group creation and permission assignment

  1. Go to Alli Dashboard > Settings > Members > Groups tab.

  2. Create each group (Engineering Division, Product Team, Sales Team).

  3. Assign the necessary permissions to each group.

As follows, users who log in through the integrated SAML app will have each mapped variable automatically assigned.

hashtag
Group mapping (when users are natively grouped by group attributes within the app, or when a user belongs to multiple groups)

Add group organizations (units that group users) in the SSO app that integrates with Alli.

  • In that SAML app, two groups that group individual users have been added, and users are assigned to each group.

  • However, some users are Backend, Frontednalso members of both groups.

  1. In Group Attribute Statements, enter GRUOP in the Name.

  2. Select Matches regex in the Filter and enter .* as the value.

  • There are two groups that group users in that Okta app.

    • Backend

    • Front

  1. Note that the above group information must also be registered identically in Alli for group mapping to be possible.

  2. Click the Save button.

Group creation and permission assignment

  1. Go to Alli Dashboard > Settings > Members > Groups tab.

  1. Create each group (Backend, Front).

  2. Assign the necessary permissions to each group.

For users who log in through an SSO app integrated via SAML, even if they belong to multiple groups in that SSO app, that information is automatically reflected in Alli.

  • Each time a user logs in, the group information registered in the SAML app is automatically refreshed and reflected in Alli.

  • Therefore, if a user's group in the SSO app is changed (added, removed, etc.), those changes will be applied to Alli on the next login.

However, Admin privileges are unique privileges that can only be set within the Alli system. These privileges are managed separately in the Alli dashboard regardless of the IDP (SAML integration system), so they are not automatically reflected upon login.

PreviousSAML SSO authentication (Okta version)NextAdvanced settings

Last updated