When you enable Single Sign On (SSO) with Quantive Results, you determine who can log in to the account from the application assignments in your Identity provider. This helps you centralize application access management as well as deliver better security.
By default, with SSO enabled, you control who can access Quantive Results from your Identity provider, and you assign user roles in your Quantive Results account. You can automate the role assignment based on your user group membership in the Identity Provider, thus centralizing the entire user management process. This article describes the behavior of automatically assigning roles based on IdP groups and provides best practice instructions on setting it up in your account.
Prerequisites
Your Identity provider must send an attribute in the named groups in the SAML assertion. The attribute value must be the names* of groups assigned to the user.
If your IdP supports it, it's a good practice to filter the list and send only the groups that are assigned to the application.
How it works
You configure groups to roles mapping rules in your Quantive Results account. Every time a user logs in we check the value of their groups attribute and whether this value matches any of the rules you've configured. When it does we will apply changes to the user roles accordingly.
Setting up
To set up automated role assignment rules follow these steps:
Go to your Quantive account -> Settings
Click on Single Sign On in the Configuration tab
Click on the 3 dots in the upper right corner of your connection and select Roles mapping
NOTE: If your account has SSO enabled, and you do not see a connection under Single Sign On, but you see this screen instead
contact the Quantive Results Technical Support team to get this sorted out.
Specify your Identity Provider group name on the left-hand side and select the corresponding Quantive role you'd like to assign members of that group to.
Once ready click on Save AD mappings.
Default role mapping
By default, when a user is logging in to Quantive from an SSO connection, if they do not exist in the account they will be automatically created. If they do not match any automated role assignment rules, they will be assigned to the user role. You can change this behavior and specify a different default role for auto-provisioned SSO users. Contact the Quantive Technical Support team to request this.
Specifics
When you remove a user from a group in your IdP, Quantive will not remove the role. The automated role assignment rules you configure can only add new roles to a user.
When a user matches more than one rule, all matching rules are applied.
For example, if you configured that all members of the Everyone group get the user role in Quantive, and members of OKR Champs group get the admin role, if a user belongs to both groups in your IdP, they will get both user and admin roles in Quantive.
A user can be either view-only or something else.
If you assign a user the view-only role in Quantive, all other role memberships will be cleared. If you then assign that same user another Quantive role, the view-only role will be cleared. The automated role assignment works the same way.
For example:
If you have a rule that puts members of the Everyone group in the user role, and a member of the Everyone role is logging in, if they already have the view-only role in Quantive, nothing will change - they will remain a member of view-only
If a user logs in, and they match several rules, one of them putting them in view-only, and another putting them in another role, the other role will take precedence.
* NOTE: Some Identity providers, for example, Azure AD do not send the name of the group via SMAL. They send its ID instead. Take this into consideration when configuring your groups to roles mapping in Quantive and use the group ID instead.