SAML User Group Associations


SAML User Group Associations

Automatically add users to user groups in Kion based on SAML assertions. This is useful for dynamically determining user permissions.

Ensure you don't have multiple associations for the same group, because they will overwrite each other. If you remove an association, it will not affect previous group membership.

When you use user group associations:

  1. You configure the appropriate roles and groups within Kion that represent the different user access levels. For more information, see How do Permissions Work in Kion?
  2. Your SAML IDMS passes an array of group membership items across as an assertion.
  3. Kion uses the values passed in the assertion to match a given assertion value to an existing group within Kion to automatically assign permissions to a user at login.

To configure user group associations:

  1. Login to Kion as an administrator.
  2. Navigate to Users > Identity Management Systems.
  3. Click the SAML IDMS you would like to configure.
  4. Select the User Group Associations tab.
  5. Click Add > Add New. You can also select the Bulk Add option if you want to add several at once using the same field descriptions.

  6. Enter the name of the assertion you’re passing that contains a list of group names to evaluate. For example ADmembership.

  7. Enter a regular expression that evaluates the values in the Name assertion. For example, ^cloudtamer-admins would match a group named cloudtamer-admins.
    This field supports expression matching characters (such as ^ for the beginning of a phrase or $ for the end of a phrase). You can find more information in Google's re2 Syntax article.

  8. Select the Kion user group the matched groups will be added to.

  9. (Optional) Enable Update on Login to evaluate users on every log in and remove them from user groups they no long match.

  10. Click Add.



Test logging in with a user account that matches one of the user group associations you specified.

If you don't see the permissions you expected to be applied, review the POST operation against the /api/v1/saml/callback. Ensure that the assertion for your groups exists and the expected group name comes across in the assertion.

For information on how to review the operation, see Tracing SAML Logins.


Was this article helpful?
0 out of 0 found this helpful