Versions Compared

Old Version 4

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version Current

changes.mady.by.user Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
typeflat

About role mapping

When you configure your Devo domain to use the SAML or OpenID authentication methods, you can authorize roles created in the chosen identity provider (IDP) by mapping them to Devo roles defined in your domain. You can map multiple Devo roles to a single user role defined in your external identity provider.

You can access the Role mapping area in Administration → Roles → IDP role mapping. The screen is divided into two different areas: the external roles defined are shown in the left part, and the right part shows all the Devo roles available in your domain. Learn below how to map and edit them.

Info

SAML or OpenID required

To activate the IDP role mapping option, you must first access Preferences → Domain preferences → Authentication and enable the SAML or OpenID authentication methods.

...

What permissions do I need?

To access this area to carry out role mapping, you need the Manage version of the Roles permission.

...

With the View version you can only see roles that are already mapped, and without this permission at all you will not see the option in the Navigation pane.

...

Define a new external role

  1. First, define the required roles in your IDP. The process is different according to the IDP you use, so please check its product documentation.

  2. In the Devo Platform, go to Administration → Roles → IDP role mapping

  3. Click Create mapped role in the External roles area. Here's where you have to define the roles you created in your IDP and want to map with existing roles in your Devo domain. You must enter the following information and then click Apply:

External group/role

Enter the name of the group/role created in your IDP. Note that the name must be exactly the same for the process to work. For example, if you created a group in your IDP and named it groups, that's the name you must enter in this field.

note
Info

Group attribute statement

Note that the group attribute statement must be set to groups to make the role mapping work.

Description

Enter an optional description of the role created.

Choose the authentication methods

You must choose the authentication method used (SAML, OpenID or both). Choosing at least one is mandatory. Note that the authentication method must be activated in your Devo domain to appear on this list.

Select the Devo roles to map to this external role

Choose the Devo role(s) to which you want to map the external role from the available ones in your domain. You can finish this process without selecting any Devo role and choose them later in the Devo roles area.

The newly created role will appear in the External roles area.

...

You can easily edit and delete external roles created in your domain in the External roles area. Any time you perform any modification, you must click the Save changes button before leaving the area.

Infonote

Roles not showing

If you disable an authentication method used in one of the defined external roles (SAML or OpenID), the roles assigned to that method will no longer appear in the External roles list. Activate the authentication method to see them again. Learn more in User authentication.

...

To delete an external role, check mark the box next to it and click the X icon that appears at the top of the roles. To delete all your roles at once, check the box next to the search box on the left and click the X trash icon.

...

...

Edit the Devo roles mapped to an external role

...

To add new Devo roles to an external role, you can open the dropdown list in the external role and select the Devo roles you want to add from the available ones.

You can also add Devo roles to a set of external roles or to all of them at once by checking the corresponding boxes and clicking this icon Image Removed

...

Info

Admin role

Note that if you add the Admin role to an external role along with any other roles, only the Admin role will be assigned. This is because the Admin role cannot be combined with any other roles in the Devo application. Learn more in Users and roles.

...

The roles available in your Devo domain appear at the right side of the screen, in the Devo roles area. Click this icon Image Removed next the pencil icon next to the roles to see the external roles linked to it.  To unlink them from the Devo role, simply click the X icon next to each of them. Click the X at the right end of the dropdown box to delete all the roles assigned.

To add new external roles to a Devo role, click the icon Image Removed, open the dropdown list in the Devo role and select the external roles you want to add from the available ones.

...

Tip

In case you don't remember the permissions assigned to a specific role in your domain, you can click its name in the Devo roles area to see its details and permissions/resources assigned. You can also view and edit the external roles assigned to a Devo role in this view.

...