All Collections
User Management
Single Sign On
Mapping user groups and types with SSO
Mapping user groups and types with SSO

User group mapping with SSO in MetaLocator

Michael Fatica avatar
Written by Michael Fatica
Updated over a week ago

Attribute mappings can be specified in an SSO platform, which can be used to designate the target User Type and User Groups used when users are created on-the-fly via SSO.

This allows new SSO-created users to be created within the desired User Group and and also be of the desired User Type.

Before implementing steps in this article, be sure a functioning SSO configuration has been established between MetaLocator and your Identity Provider.

The overall steps involved in this process are:

  1. Establish the attribute mappings and user groups in your Identity Provider

  2. Establish the mappings within MetaLocator

Setting up the Identity Provider Attribute Mappings

In this example we are showing a typical Attribute Mapping table. Your SSO provider may vary, but the supported Attributes are listed in the left column below.

Establishing the IdP-side User Groups

The users being created in MetaLocator must be in a group or groups which trigger the mapping, unless the mappings are hard-coded. The example groups are shown for our test user below. There is one group which triggers adding the user to Group A and another which triggers adding the user as a MetaLocator Group Administrator.

Setting up the Import Mapping

The Import Mapping stores the lookup between the IdP-side User Groups and the MetaLocator-side User Groups and User Types.

See Tools > Import Mapping and create mapping entries for both the User Types and User Groups, named 'types' and 'groups' respectively.

Configuring User Group Mappings

An example User Group mapping is shown below, where the Field Name is the exact name of the group found in the identity provider which should trigger the placement of the user into the group with User Group ID 3. Ensure the Mapping Type is set to "SSO"

Configuring User Type Mappings

An example User Type mapping is shown below, where the Field Name is the exact name of the group found in the identity provider which should trigger the creation of a user with type=43. See the table below for valid user types. Ensure the Mapping Type is set to "SSO"

Valid User Group IDs for User Types

User Type

User Group ID

MetaLocator Administrator


MetaLocator Analytics


MetaLocator API


MetaLocator Country Manager


MetaLocator Group Administrator


MetaLocator Group Data Administrator


MetaLocator Lead Download


MetaLocator Leads


MetaLocator Manager


MetaLocator PaaS API


MetaLocator Translator


Valid User Group IDs for User Groups

To find valid User Group IDs for your account, first open the User Manager

Then click User Groups as shown below.

The group IDs are listed here:

User Group Changes

When user groups change on the IdP-side, MetaLocator can reprocess the updates if onelogin_saml_updateuser is set to "1".

In this case, the User Groups will be re-calculated and applied to the user. This includes removals and additions to User Groups only. The User Type is can not be changed via SSO.


Visit the SSO Link here:

Enter an email address of a user with appropriate User Groups configured in your SSO Platform.

The user should be created and a message indicating a pending status as shown

Administrators will receive a notification that the user has been created via email. If the mapping targets a specific User Group or Groups, administrators for those groups (only) will be notified.

Administrators should review the incoming user, assign any country requirements or make manual adjustments as necessary and then Enable the user.

The end user will also receive a notice that their account is pending. Upon enablement by an administrator, the end user will receive a notice that the account was activated and they are free to log in.

Did this answer your question?