Attribute mappings can be specified in an SSO platform, which can be used to designate the target User Type and User Groups used when users are created on-the-fly via SSO.
This allows new SSO-created users to be created within the desired User Group and and also be of the desired User Type.
Before implementing steps in this article, be sure a functioning SSO configuration has been established between MetaLocator and your Identity Provider.
The overall steps involved in this process are:
Establish the attribute mappings and user groups in your Identity Provider
Establish the mappings within MetaLocator
Setting up the Identity Provider Attribute Mappings
In this example we are showing a typical Attribute Mapping table. Your SSO provider may vary, but the supported Attributes are listed in the left column below.
Establishing the IdP-side User Groups
The users being created in MetaLocator must be in a group or groups which trigger the mapping, unless the mappings are hard-coded. The example groups are shown for our test user below. There is one group which triggers adding the user to Group A and another which triggers adding the user as a MetaLocator Group Administrator.
Setting up the Import Mapping
The Import Mapping stores the lookup between the IdP-side User Groups and the MetaLocator-side User Groups and User Types.
See Tools > Import Mapping and create mapping entries for both the User Types and User Groups, named 'types' and 'groups' respectively.
Configuring User Group Mappings
An example User Group mapping is shown below, where the Field Name is the exact name of the group found in the identity provider which should trigger the placement of the user into the group with User Group ID 3. Ensure the Mapping Type is set to "SSO"
Configuring User Type Mappings
An example User Type mapping is shown below, where the Field Name is the exact name of the group found in the identity provider which should trigger the creation of a user with type=43. See the table below for valid user types. Ensure the Mapping Type is set to "SSO"
Valid User Group IDs for User Types
User Type | User Group ID |
MetaLocator Administrator | 23 |
MetaLocator Analytics | 30 |
MetaLocator API | 14 |
MetaLocator Country Manager | 37 |
MetaLocator Group Administrator | 43 |
MetaLocator Group Data Administrator | 52 |
MetaLocator Lead Download | 38 |
MetaLocator Leads | 35 |
MetaLocator Manager | 41 |
MetaLocator PaaS API | 15 |
MetaLocator Translator | 42 |
Valid User Group IDs for User Groups
To find valid User Group IDs for your account, first open the User Manager
Then click User Groups as shown below.
The group IDs are listed here:
User Group Changes
When user groups change on the IdP-side, MetaLocator can reprocess the updates if onelogin_saml_updateuser is set to "1".
In this case, the User Groups will be re-calculated and applied to the user. This includes removals and additions to User Groups only. The User Type is can not be changed via SSO.
Testing
Visit the SSO Link here:
Enter an email address of a user with appropriate User Groups configured in your SSO Platform.
The user should be created and a message indicating a pending status as shown
Administrators will receive a notification that the user has been created via email. If the mapping targets a specific User Group or Groups, administrators for those groups (only) will be notified.
Administrators should review the incoming user, assign any country requirements or make manual adjustments as necessary and then Enable the user.
The end user will also receive a notice that their account is pending. Upon enablement by an administrator, the end user will receive a notice that the account was activated and they are free to log in.