Role mapping
About role mapping
When you configure your Devo domain to use the SAML or OpenID authentication methods, you can authorize roles created in the chosen identity provider (IDP) by mapping them to Devo roles defined in your domain. You can map multiple Devo roles to a single user role defined in your external identity provider.
You can access the Role mapping area in Administration → Roles → IDP role mapping. The screen is divided into two different areas: the external roles defined are shown in the left part, and the right part shows all the Devo roles available in your domain. Learn below how to map and edit them.
SAML or OpenID required
To activate the IDP role mapping option, you must first access Preferences → Domain preferences → Authentication and enable the SAML or OpenID authentication methods.
What permissions do I need?
To access this area to carry out role mapping, you need the Manage version of the Roles permission. With the View version you can only see roles that are already mapped, and without this permission at all you will not see the option in the Navigation pane.
Define a new external role
First, define the required roles in your IDP. The process is different according to the IDP you use, so please check its product documentation.
In the Devo Platform, go to Administration → Roles → IDP role mapping.Â
Click Create mapped role in the External roles area. Here's where you have to define the roles you created in your IDP and want to map with existing roles in your Devo domain. You must enter the following information and then click Apply:
External group/role | Enter the name of the group/role created in your IDP. Note that the name must be exactly the same for the process to work. For example, if you created a group in your IDP and named it groups, that's the name you must enter in this field. Group attribute statement Note that the group attribute statement must be set to groups to make the role mapping work. |
---|---|
Description | Enter an optional description of the role created. |
Choose the authentication methods | You must choose the authentication method used (SAML, OpenID or both). Choosing at least one is mandatory. Note that the authentication method must be activated in your Devo domain to appear on this list. |
Select the Devo roles to map to this external role | Choose the Devo role(s) to which you want to map the external role from the available ones in your domain. You can finish this process without selecting any Devo role and choose them later in the Devo roles area. |
The newly created role will appear in the External roles area.
Manage your external roles
You can easily edit and delete external roles created in your domain in the External roles area. Any time you perform any modification, you must click the Save changes button before leaving the area.
Roles not showing
If you disable an authentication method used in one of the defined external roles (SAML or OpenID), the roles assigned to that method will no longer appear in the External roles list. Activate the authentication method to see them again. Learn more in User authentication.
Edit an external role
To edit the name and description of an external role defined in your domain, hover over them and click the pencil icon that appears.
Delete an external role
To delete an external role, mark the box on the left and click the trash icon.
Edit the Devo roles mapped to an external role
The Devo roles linked to a defined external role appear listed under the name and description of the external role. To unlink them from the external role, simply click the X icon next to each of them. Click the X at the right end of the dropdown box to delete all the roles assigned.
To add new Devo roles to an external role, you can open the dropdown list in the external role and select the Devo roles you want to add from the available ones.
Edit the external roles mapped to a Devo role
The roles available in your Devo domain appear at the right side of the screen, in the Devo roles area. Click the pencil icon next to the roles to see the external roles linked to it.Â
Â