Assign User Roles with SSO Groups

You can assign roles to users based on SSO groups in your IdP. For example, let's say that your level 1 help desk employees are in the SSO group "Level 1 Help Desk". You can create a role for level 1 help desk employees and assign that user role to the "Level 1 Help Desk" SSO group. All users in the "Level 1 Help Desk" group are automatically assigned that user role when they sign in. 

Roles are assigned based only on SSO groups that are sent in the SAML assertion and added to your SSO Groups settings. If multiple groups are sent in the SAML assertion, then the user is assigned all relevant roles for all groups.

ControlUp checks a user's SSO groups and assigns the relevant roles each time a user signs in. If you change a user's groups in your IdP, then the user's roles and permissions are automatically updated the next time they sign in. Because roles are dynamically assigned each time a user signs in, the roles assigned to a user by the SSO Groups feature are not saved to a user and are not visible in the User Settings or Roles pages.

Note that it is possible for a user to have roles assigned other than the roles assigned to their SSO groups. This can happen if you manually assign roles to a user, or if a new user signs in for the first time and is assigned the default role for automatically provisioned accounts (configured in your SAML settings). 

Prerequisites

This feature requires that you have SAML SSO configured. Read How to Configure SAML Single SSO with Your IdP for details.

Create an SSO group

1. Configure your IdP to send either the names or the IDs of the SSO groups in the attribute userGroups.  We recommend that you send the ID because it is guaranteed to uniquely identify the group.
2. In ControlUp, go to Global Settings > SAML Single Sign On > SSO Groups.
3. Click Create SSO Group.
4. In the Group Name/ID field, enter either the group name or ID, depending on which one you configured your IdP to send in the userGroups attribute. The value you enter in this field must exactly match what your IdP sends in SAML assertion.
5. In the Display Name field, enter a name for the group. This is the name that appears when assigning roles to the group. 
6. Click Save.
   

Assign SSO groups to roles in app.controlup.com

After you create an SSO group, you can assign the group to a role in app.controlup.com.

To assign an SSO group to a role in app.controlup.com:

1. In your Roles settings, select a role and go to Groups > Add/Remove Groups to add the group to the role.
2. Save the changes to the user role.

Assign SSO groups to roles in the Real-Time Console Security Policy

After you create an SSO group, you can assign the group to a role in the Real-Time Console Security Policy. When a user signs in to app.controlup.com with SAML, they are automatically granted roles in the Security Policy according to their SAML SSO groups. Security Policy roles determine what a user is allowed to do in the VDI & DaaS web interface (for example, viewing certain machines/folders and running actions). Note that users must have the permission Use Web Application assigned in the Security Policy to access the VDI & DaaS web interface. Learn more about how to access the VDI & DaaS web interface.

To assign an SSO group to a role in the Security Policy:

1. In the Real-Time Console, go to Security Policy > Manage Roles.
2. Select a role and click Edit > Add Users/Groups.
3. Set Provider to ControlUp.
4. Set Search Options to Groups.
5. Click Search. All SSO groups that you created appear in the list.
6. Select which SSO groups you want to add to the role and click OK.