SSO User and Group/Role Mapping from IdP to SP

When implementing Single Sign-On (SSO), it's often critical to pass user attributes and user groups from the Identity Provider (IdP) to the Service Provider (SP). This allows the SP to assign permissions, manage access levels, and dynamically tailor the user experience based on identity data from the IdP.

This process is referred to as user attribute mapping or group/role mapping, ensuring that users are automatically assigned appropriate access without manual intervention.

Why SSO Role and Group Mapping Matters

• Automated Access Control: Automatically assign user permissions in the SP based on IdP attributes.
• Scalability: Manage access across large user bases without needing to configure each account individually.
• Centralized Governance: Maintain roles and groups in one central identity source (the IdP).
• Security & Compliance: Enforce least-privilege access based on up-to-date identity metadata.

How SSO User and Group Mapping Works

1. A user logs in via SSO.
2. The IdP sends a SAML or OIDC assertion containing user attributes such as:
   • email
   • name
   • groups
   • Custom claims (e.g., manager, department, plan_level)
3. The SP receives and parses these attributes.
4. The SP maps these values to user attributes and internal roles.

Supported IdP Attributes

Common attributes passed from IdPs include email, name, phone, and any created custom attribute.

The exact attribute names and formats vary by IdP and should be customized in the IdP's application configuration.

Group and Role Mapping Strategies

Map any user's group names from the IdP to internal roles in the SP.

Example:

• If the user's group is admin → assign the Admin role in the app.
• If the user's group is engineering → assign the Engineering role in the app, allowing access to engineering tools.

How Descope Supports Mapping

Descope provides built-in tools for handling user attributes and group/role mapping from IdPs during the SSO authentication process and SCIM:

• Flexible Attribute Mapping: Easily map any IdP attribute (for both SAML or OIDC) to Descope user fields or custom claims.
• Group/Role Extraction: Automatically extract and store roles and groups for use in access control logic.
• Tenant-Aware Mapping: Use tenant-specific configurations to isolate roles and groups per organization.
• UI & API Config Options: Depending on your workflow, you can configure mapping logic through Descope's UI or API.
• SSO Setup Suite: Let your customers' IT Admin configure and test mapping logic through a dedicated self-provisioning UI.
• Mapping in Descope affects SCIM: User and Group mappings configured in Descope are also used for SCIM provisioning.
• Audit Logs: All mappings and assignments are captured in logs for traceability and compliance.

With Descope, you can securely and efficiently manage user attributes and group assignments using identity data from any SAML or OIDC-compatible IdP.

Implementing User and Group Mapping

• From the Descope's console UI (Descoper): Mapping in Descope's console UI
• From the SSO Setup Suite (IT Admin): Mapping in SSO Setup Suite