SSO Role Mapping

What is it?

Role mappings are part of single sign-on (SSO), a subscription feature. This feature allows you to describe which roles to assign to your users using a set of rules.

Role mappings are required when authenticating via an external identity provider, such as Active Directory or SAML. 

How does it work?

The SSO mapping is working from definition of fields to claims. These claims contain attributes that need to be mapped to the required fields in the applications SAML configuration.


  1. Identity Provider (IdP): The server from where the user details are stored and used for the authentication process.  
  2. Service Provider (SP): The clients ITONICS application  
  3. Claims: These are the rules that define the attributes which will be sent from the IdP to the SP and which fields should be used to perform the match when the user attempts to log into the system. These can also be called the source fields.
  4. System Field: System fields are the fields that have been configured under Manage Field: User Configuration in the ITONICS application, /user_configuration/1/types/manage/fields. These are the destination fields to which the fields from Claims will be mapped. 
    1. The value of this column in the template would be the machine name of the corresponding field, as highlighted below.
    2. The application owner role has access to this configuration page.
      Screenshot 2024-02-22 at 13.47.59.png
  5. Claim Value: Claim Values are the specific values that need to be mapped. The values can be array, comma separator, or a string.
    1. A claim might contain a list field with options [Option 1, Option 2]. Here, the values Option1 and Option2 are the Claim values. 
    2. A claim might contain string value
    3. A claim might contain comma separated values Option 1, Option 2
      1. The developer required detailed information of value type and format
  6. System Field Value: System field values are the corresponding values in the system fields that the Claim Values will be mapped to.
  7. Comment: The comment would contain any useful information regarding the mapping, such as “Field type different in source and destination”. 

Mapping Process

Bildschirmfoto 2023-10-02 um 10.39.54.png

Group to Role Mapping

Should it be required that users be automatically assigned roles in the ITONICS platform when they first log into the system, the developers at ITONICS will need to map the various group names as set in the federated server active directory to the matching role names in the ITONICS platform. 

A list of roles in the ITONICS platform can be requested from an application owner (AO). The below table is an example of the group to role mapping we would need to perform the mapping.

Bildschirmfoto 2023-10-02 um 10.36.52.png
Was this article helpful?
0 out of 0 found this helpful