Skip to main content

Automatically add users to groups with SSO

You can automatically add users to groups with single sign-on (SSO).

  1. Update your SAML configuration in your IDP:

    <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:Attribute Name="contrast_groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                    xsi:type="xs:string"
                                    >GROUP1</saml2:AttributeValue>
            <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                    xsi:type="xs:string"
                                    >GROUP2</saml2:AttributeValue>
            ...
        </saml2:Attribute>
    </saml2:AttributeStatement>

    Important

    The attribute values listed under contrast_groups must exactly match an existing group name. Contrast won't create new groups based on the values listed under this attribute.

  2. Then in Contrast, under organization settings, select Single sign-on and use the check boxes at the bottom of the form to enable one or both of these:

    • Add users to their Contrast groups upon SSO login: Upon login, Contrast adds users to groups listed in the contrast_groups attribute in the SAML assertion.

    • Remove users from their Contrast groups upon SSO login: Upon login, Contrast removes users from groups not listed in the contrast_groups attribute in the SAML assertion.

References

  • User email as NameID

    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
  • First name and surname

    <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
                                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                                 >
                    <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                          xsi:type="xs:string"
                                          >Dan</saml2:AttributeValue>
                </saml2:Attribute>
    
    <saml2:Attribute Name=" http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
                                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                                >
                   <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                         xsi:type="xs:string"
                                         >Dan</saml2:AttributeValue>
               </saml2:Attribute>
  • User group management

    <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Attribute Name="contrast_groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:string">GROUP1</saml2:AttributeValue>
    <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:string">GROUP2</saml2:AttributeValue>
    ...
    </saml2:Attribute></saml2:AttributeStatement>

See also

outline_open_in_new_black_24dp.pngConfiguring user and group provisioning with Okta

outline_open_in_new_black_24dp.pngConfiguring ADFS to automatically add users to groups