Automatically add users to groups with SSO
You can automatically add users to groups with single sign-on (SSO).
Update your SAML configuration in your IDP:
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Attribute Name="contrast_groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >GROUP1</saml2:AttributeValue> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >GROUP2</saml2:AttributeValue> ... </saml2:Attribute> </saml2:AttributeStatement>
Important
The attribute values listed under
contrast_groups
must exactly match an existing group name. Contrast won't create new groups based on the values listed under this attribute.Then in Contrast, under organization settings, select Single sign-on and use the check boxes at the bottom of the form to enable one or both of these:
Add users to their Contrast groups upon SSO login: Upon login, Contrast adds users to groups listed in the
contrast_groups
attribute in the SAML assertion.Remove users from their Contrast groups upon SSO login: Upon login, Contrast removes users from groups not listed in the
contrast_groups
attribute in the SAML assertion.
References
User email as
NameID
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
First name and surname
<saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" > <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >Dan</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name=" http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" > <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >Dan</saml2:AttributeValue> </saml2:Attribute>
User group management
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Attribute Name="contrast_groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:string">GROUP1</saml2:AttributeValue> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:string">GROUP2</saml2:AttributeValue> ... </saml2:Attribute></saml2:AttributeStatement>