Filtering Roles in the SSO Setup Suite
This guide explains how to filter which roles appear for mapping in the SSO Setup Suite based on the authenticated user’s role permissions.
This ensures that only authorized users can configure or view role mappings relevant to their assigned permissions.
Prerequisites
- Ensure that the token response method is set to "Manage in Cookies" in the Descope Session Management Settings.
Configuration Steps
The Descoper should follow these steps to correctly configure roles and permissions:
-
Assign Permissions for Roles:
- Assign permissions to roles that you want SSO Setup Suite users to access and map. Only roles containing permissions also held by the authenticated user will be shown.
- Example: If you want to restrict access to roles associated with a specific application (e.g., "AppX") only to users who have a subscription for that application, create a role like "AppX Subscriber" with the "AppX" permission.
-
Assign Roles to SSO Setup Suite User:
- Assign the user roles with the relevant permissions.
- Example: To allow access to roles related to "AppX", assign any role which includes the "AppX" permission, along with the Tenant Admin role.
SSO Setup Suite Access Steps
The Tenant Admin (SSO Setup Suite user) should follow these steps to access the SSO Setup Suite:
-
Authenticate User:
- The user needs to be authenticated, and have a valid cookie on your Descope domain (either
api.descope.com, or your custom domain if you have one configured). - This is in place of directly sending the user the generated SSO Setup Suite link, and can be achieved by having the user authenticate through a sign in flow on your Descope domain.
- The user needs to be authenticated, and have a valid cookie on your Descope domain (either
-
Access the SSO Setup Suite:
- The user can then visit
https://<your-base-url>/sso/setup/<your-project-id>?tenantId=<your-tenant-id>. - The roles that appear in the mapping dropdown will match the permissions of the authenticated user. Only users with the appropriate permissions see the relevant roles.
- Example: A user with the "AppX" permission can now view and map roles associated with "AppX".
- The user can then visit
By following these steps, you can ensure that users accessing the SSO Setup Suite can only configure or view role mappings relevant to their assigned permissions.
Was this helpful?