Attribute mappings can be specified in an SSO platform, which can be used to designate the target User Type and User Groups used when users are created on-the-fly via SSO.

This allows new SSO-created users to be created within the desired User Group and and also be of the desired User Type.

Before implementing steps in this article, be sure a functioning SSO configuration has been established between MetaLocator and your Identity Provider.

The overall steps involved in this process are:

  1. Establish the attribute mappings and user groups in your Identity Provider

  2. Establish the mappings within MetaLocator

Setting up the Identity Provider Attribute Mappings

In this example we are showing a typical Attribute Mapping table. Your SSO provider may vary, but the supported Attributes are listed in the left column below.

Establishing the IdP-side User Groups

The users being created in MetaLocator must be in a group or groups which trigger the mapping, unless the mappings are hard-coded. The example groups are shown for our test user below. There is one group which triggers adding the user to Group A and another which triggers adding the user as a MetaLocator Group Administrator.

Setting up the Import Mapping

The Import Mapping stores the lookup between the IdP-side User Groups and the MetaLocator-side User Groups and User Types.

See Tools > Import Mapping and create mapping entries for both the User Types and User Groups, named 'types' and 'groups' respectively.

Configuring User Group Mappings

An example User Group mapping is shown below, where the Field Name is the exact name of the group found in the identity provider which should trigger the placement of the user into the group with User Group ID 3. Ensure the Mapping Type is set to "SSO"

Configuring User Type Mappings

An example User Type mapping is shown below, where the Field Name is the exact name of the group found in the identity provider which should trigger the creation of a user with type=43. See the table below for valid user types. Ensure the Mapping Type is set to "SSO"

Valid User Group IDs for User Types

User Type

User Group ID

MetaLocator Administrator

23

MetaLocator Analytics

30

MetaLocator API

14

MetaLocator Country Manager

37

MetaLocator Group Administrator

43

MetaLocator Group Data Administrator

52

MetaLocator Lead Download

38

MetaLocator Leads

35

MetaLocator Manager

41

MetaLocator PaaS API

15

MetaLocator Translator

42

Valid User Group IDs for User Groups

To find valid User Group IDs for your account, first open the User Manager

Then click User Groups as shown below.

The group IDs are listed here:

User Group Changes

When user groups change on the IdP-side, MetaLocator can reprocess the updates if onelogin_saml_updateuser is set to "1".

In this case, the User Groups will be re-calculated and applied to the user. This includes removals and additions to User Groups only. The User Type is can not be changed via SSO.

Testing

Visit the SSO Link here:

https://admin.metalocator.com/index.php?option=com_users&view=login&sso=1&Itemid=129

Enter an email address of a user with appropriate User Groups configured in your SSO Platform.

The user should be created and a message indicating a pending status as shown

Administrators will receive a notification that the user has been created via email. If the mapping targets a specific User Group or Groups, administrators for those groups (only) will be notified.

Administrators should review the incoming user, assign any country requirements or make manual adjustments as necessary and then Enable the user.

The end user will also receive a notice that their account is pending. Upon enablement by an administrator, the end user will receive a notice that the account was activated and they are free to log in.

Did this answer your question?