Automatically grant and revoke group membership in Ardoq based on SSO user attributes defined in your SSO provider.
With Ardoq’s SSO Attribute Mapping, you can:
Externally manage Ardoq group access from your SSO provider.
Remove tedious duplication of configuration between Ardoq and your SSO provider.
Ensure accurate group membership at all times.
Assign correct group membership on first login, enabling your users to get access to valuable insights immediately.
Find out how to define mapping rules to assign users to permission groups based on their SSO attributes below, and watch as the right users are automatically added to and removed from the correct groups.
Table of contents:
Before Getting Started
To map SSO attributes to a permission group in Ardoq, you need to:
Be an admin user
Disable plain login (email and password) to ensure users can only log in through SSO. This ensures that group membership always remains consistent with your SSO configuration. If plain login is left enabled, users will be able to log in to your organization without pulling in the SSO’s current group configuration, which may cause unintended continued data access.
How to Define Mapping Rules
Follow the steps below to create a set of rules using SSO attributes to automatically assign or remove users to or from a Permission group.
Navigate to Preferences > Organization settings > SSO attribute mapping
Fill in each column in the mapping rule builder. Please note that the attributes are case sensitive.
Attribute: Attributes are defined in your SSO provider, and the options will be prepopulated with any that Ardoq received during login for your current session. You can also define any custom attribute here.
Condition: Select 'Exact' or 'Contains' to match users whose values for these attributes satisfy the condition rules. The attribute is compared against the value defined in the Value column, and compared based on the condition.
Value: Specify the value to match against your users’ attributes, based on the condition.
Assignment rule: Select the permission group that this rule applies to. You can only select one group per rule. You can create as many rules as needed to map to multiple permission groups. Simply click “+ Add mapping”.
Review the groups you will be added or removed from below the “+ Add mapping”.
Log in again via SSO for the mapping rules to apply.
Users whose group membership has been assigned through SSO Mapping Rules cannot have their membership revoked manually. Instead you can remove/modify mapping rules or modify their attributes in the SSO. This is not a security issue, as their group membership will automatically be modified correctly the next time they log in. However, they will still be shown as a member of the group in the UI.
If you haven’t already, we highly recommend you disable plain login to ensure users can only log in through SSO. This ensures that group membership always remains consistent with your SSO configuration. If plain login is left enabled, users will be able to log in to your organization without pulling in the SSO’s current user attributes, which may cause unintended continued data access.
Care should be taken that mapping rules are assigned appropriately as changes in your SSO will now impact user’s data access within Ardoq.
Helpful Tips when using Azure AD (SAML)
Each SSO provider has a different way of setting up claims. For AzureAD, the process to setup the most common configuration (sending us your user's groups) is outlined below.
Navigate to your Single Sign-on Claims Configuration
First find your Enterprise Application and navigate to the "Single sign-on" settings under the management panel:
Then click "Edit" under "Attributes & Claims":
There are two types of claims that AzureAD supports: normal claims and group claims. We support both, which means that you can add any custom claim type to your users and define group mappings on Ardoq side to ensure those users are assigned to the proper groups.
In order to define claims based your users groups, select the "Add a group claim":
Select which of your user groups you would like to be returned. Likely this is "Groups assigned to the application":
By default, AzureAD will only sync group IDs! This will make your mappings very cumbersome to create, because you will need to lookup every group ID and map it appropriately on the Ardoq side:
For cloud-only groups, you can instead send group names by selecting
Cloud-only group display names (Preview).
For groups which you have synced from an on-premises AD, you can select
For hybrid setups, where you have both cloud-groups and AD synced groups, you can enable
sAMAccountNameand also select
Emit group name for cloud-only groups, as in the screenshot below:
You can read more about these options in the AzureAD documentation here.
Finally, AzureAD will by default send us a URI for the attribute which can be obscure and less friendly to use, it is often nicer to customize the name (under Advanced options):
Now save this claim, log out of Ardoq, and log in again with your SSO provider — you should see the updated claim available in the mapping table, along with your groups!