All Collections
Integrations
Account Setup and Configuration
Group to Role Mapping through SSO or SCIM
Group to Role Mapping through SSO or SCIM

Learn how to map groups from external identity providers (idPs) to Quantive user roles

Boyan Barnev avatar
Written by Boyan Barnev
Updated over a week ago

Overview

You can map users from your idP to specific roles in Quantive. Users can be part of multiple groups and roles.

Group to Role Mapping through SSO or SCIM

You can use SSO (Single Sign On) for authentication, or for limited provisioning and SCIM (System for Cross-domain Identity Management) to set provisioning for your account. Admins can set the Group to Role Mapping through either SSO or SCIM.

SSO is available with the Quantive Scale plan and up.

SCIM is available only with the Quantive Enterprise plan.

Set default roles

To set default roles, navigate to Settings, then Group to Role Mapping, then select SSO or SCIM.

You can assign one or more roles to your users.

For example, user A belongs to both groups ‘Product’ and ‘Management’ in the idP. Group ‘Product’ is mapped to the role ‘user’ and group ‘Management’ to the role ‘admin,’ so user A will get both roles ‘user’ and ‘admin’.

If users do not belong to any group, they will be assigned the default role, which could be predefined. Most organizations choose ‘user’ as the default role.

The ‘view-only’ role cannot be combined with other roles. For example, if a user is assigned ‘view-only’ and ‘admin’ roles, the ‘admin’ role will be assigned no matter which role was added first.

SSO

Through SSO, provisioning occurs only when users log in, and roles can both be set as default or managed manually per each user. Every time a user logs in from an SSO connection, the values of their groups’ attributes will be checked. The corresponding role will be added if they match any new mapping rules. Group to Role Mapping through SSO does not remove roles.

Azure AD and Google Workspace/G Suite can be connected by an admin in Settings. For other SSO connections that support SAML 2.0, including Okta, OneLogin, and Ping, some additional setup from Quantive Support will be required. Feel free to contact us at [email protected].

*Important - Users can come in for first login with view-only. But they can NEVER go from any paid role to view-only role through SSO Groups to Role Mapping. You must first put them in the correct IDP group and them manually adjust them to view-only within Quantive if you want to move someone from a paid role to view-only.

SCIM

The SCIM integration will automatically manage user provisioning and map groups to roles, limiting security issues.

Benefits of SCIM provisioning:

  • Teams and their members can be automatically provisioned.

  • The sync between the IdP and Quantive happens less than 40 minutes after a change is present (for most external IdPs, it will change immediately). *Note if you do not see a user provisioned in Quantive after some time. First check the internal IDP logs to see if the SCIM job has gone through.

  • Users deleted in the identity provider will also be de-activated in Quantive.

  • As opposed to SSO, Group to Role Mapping via SCIM allows changing, adding, and removing roles.

*IMPORTANT - For SCIM groups to role mapping. You must do a manual push of the groups at least 1 time in order for the groups to appear in Quantive. After this initial manual group push you will not need to do so again.

You can find detailed instructions for configuring SCIM with Quantive here.

Switching Group to Role Mapping from SSO to SCIM

Note that if you switch from SSO to SCIM, the manually assigned roles will be erased, and the process will be irreversible.

Did this answer your question?