If you have a well-established way of managing users and roles within your SAML Identity Provider (IdP), there’s good news. Contentstack now supports mapping your IdP roles to Contentstack roles, enabling you to keep using your existing role management (on the IdP side) for your SSO-enabled Contentstack organizations.
How IdP Role Mapping Works with Contentstack SSO
By mapping your IdP roles to Contentstack roles, you define the organization-level and stack-level permissions that the users of your IdP roles would have in Contentstack. The users of your mapped IDP roles can then directly log into your SSO-enabled Contentstack organization with the assigned permissions.
This role mapping eases the process of managing users and roles for your IdP as well as Contentstack admins. Here are some of the other advantages of enabling IdP Role Mapping for your SSO-enabled Contentstack organization:
Direct login for IdP users
If your IdP roles are mapped to Contentstack roles, all users of the mapped roles can log into your SSO-enabled Contentstack organization directly. You do not have to invite them separately. This saves a lot of time and effort for the IdP admin.
User management from one central location
Managing users from your SSO-enabled organization becomes easier as the user management for both IdP and Contentstack can now be done from the IdP. As an admin, it eliminates the need to maintain separate lists of users for different accounts.
If ‘Strict Mode’ is enabled for your SSO-enabled organization, inviting, updating or removing users from Contentstack is not allowed. This ensures that admins, members or developers of your Contentstack organization or stack cannot manage users or roles unless they have such rights in your SAML IdP.
How to enable IdP Role Mapping for your Organization
To enable IdP Role Mapping for your SSO-enabled organization, follow these simple steps:
- For the initial set up, refer our general guide on Single Sign-On.
- Go to the User Management section of your Organization’s Single Sign-On (SSO) settings page.
- Click on the Advanced Settings option to expand the IdP Role Mapping section.
- In the Add role mapping section, click on the ADD NEW MAPPING link and add the following details:
Likewise, you can add multiple mappings to map various roles of your IdP.
- IdP Role: Enter the unique identifier (name or UID) of the IdP group/role for which you want to create the mapping.
- Organization Role: Assign an Organization-specific role to the IdP group/role, for example, ‘Admin’ or ‘Member.’
- Stack Roles: Assign stack-specific roles to the mapped IdP group or role.
- Finally, enter the Role Delimiter your IdP uses to delimit the users of the role.
- Switch on the Enable Role Mapping toggle button to activate the Role Mapping feature for your organization.
Once you do this, and save your settings, all users of your IdP roles (that are mapped) will be able to login to your Contentstack organization via SSO Login, and access the stacks with assigned rights.
Read more about SSO and IdP Role Mapping in our SSO guide.