If you have Single Sign-on enabled for your organization, it is possible to configure Ardoq so that user roles are managed either from within Ardoq or exclusively from the identity provider (i.e. Active Directory).
This article explains how to set up Ardoq and Active Directory to manage users in various ways. For example, maybe you want to set up a few administrators and writers, while everyone else in your organization has contributor level access by default? We will see how this can be done.
A Note on Identity Providers (e.g. Active Directory)
Role assignment is currently only supported with the SAML SSO method.
In Active Directory, roles are a first-class concept, and normally the SSO integration will be configured so that Ardoq receives the user's assigned roles any time they log in. To manage roles externally, Ardoq expects roles to be included with the sign-in request.
For other identity providers (i.e. Okta), it may be possible to work around this limitation by making sure the "assignedRoles"-attribute includes one of the expected roles, but this is not officially supported.
The assignedRoles attribute must include at least one of the following for external user management to function correctly:
If these are not provided, the user will keep their current role, or be created with a default role if they don't already have an existing Ardoq-account.
Where to Configure User Management and Default Role
On Ardoq's side, there are two options that will be used in this article, "User management" and "Default role for SSO users". These can be found in the "Edit organization" dialog (which can be reached from the bottom left corner of the app).
Role Management Options in Active Directory
In Active Directory, it is possible to manage roles and access in multiple ways.
Assign users or groups to the Ardoq application with a role
Assign users or groups with "default access" (no role)
Set "User assignment required?" to "No", giving all users in Active Directory access to Ardoq with no role (users can still be assigned roles if desired)
When a user has "no role" defined in Active Directory, their role will become whatever the default is in Ardoq if they do not already exist, or they will keep their current role in Ardoq.
Common Scenarios and How to Set Them Up
How do we make sure everyone has access to presentations or surveys?
Users must be granted access to the Ardoq application in Active Directory to be able to log in to Ardoq. If you want to make sure as many people as possible can access Ardoq to submit surveys or view presentations, consider setting the "default role" to "contributor" and set "User assignment required?" to "No" in Active Directory.
If you prefer to control access to Ardoq, set "User assignment required?" to "Yes", but make sure that all the users that should have access belong to a group that is assigned the "contributor"-role.
What role will a new user receive when logging in for the first time?
If user management is set to "externally" or "in app and externally", the role from Active Directory is used
If the user has no role in AD, the user is granted the default role instead
If user management is set to "in app", the user is granted the default role
How do we manage roles exclusively in Active Directory?
To manage roles in Active Directory, set the "user management"-setting to "externally", "User assignment required?" to "Yes" in Active Directory and assign users to the application
How do we manage roles exclusively in Ardoq?
To manage roles in Ardoq, set the "user management"-setting to "in app". Users logging in will be assigned the default role of your choosing, so consider setting this as low as possible (for example "contributor") and then manually promote users as needed.
Still have questions? Feel free to reach out to us. We're happy to help!