ScreenSteps Help

How to Manage User Groups Through your Identity Provider using the SAML Assertion

Updated on

ScreenSteps supports user group assignment via the SAML Assertion that an IDP sends to ScreenSteps when a user logs in. To turn this feature on the Manage each user's groups through IDP checkbox needs to be checked in the Identity Provider (IDP) configuration in ScreenSteps.

ScreenSteps checks for the following attribute names in the order listed for setting the groups a user belongs to:

  1. http://schemas.xmlsoap.org/claims/Groups

  2. http://schemas.microsoft.com/ws/2008/06/identity/claims/group

The attribute can contain one or more <AttributeValue> elements with a group name. In the following example the user would be assigned to the Call Center Agents and Call Center Agent Administrator groups each time they log in.

<Assertion ...>
  <AttributeStatement>
    ...
    <Attribute Name="http://schemas.xmlsoap.org/claims/Groups">
      <AttributeValue>Call Center Agents</AttributeValue>
      <AttributeValue>Call Center Agent Administrator</AttributeValue>
    </Attribute>
    ...
  </AttributeStatement>
</Assertion>

 

Any groups listed in the attribute will be combined with the group associated with the IDP in the User Properties tab of the IDP configuration in ScreenSteps. In the example above the user would end up being associated with three different groups each time they log in.

Previous Article How to Set up Single Sign-on with Microsoft (Azure/Entra ID) for your Account and Primary Site
Next Article How to update your certificate from Azure/Entra and add it to ScreenSteps

Authentication (SSO, SCIM, SAML, Usernames, Passwords)

Passwords 1
Single Sign-on 10
Single Sign-on FAQs 4
Using ScreenSteps Remote Authentication with Atlassian Crowd 2

Other Resources