Skip to main content

Configuring Mappers in the Identity Broker

A common practice for managing AtScale users is the programmatic mapping of users to the appropriate AtScale groups or roles. When users authenticate through AtScale (either from Design Center or BI tools), they are automatically assigned to an AtScale group/role based on the mapped IdP group.

The following sections describe how to map an IdP group to an AtScale group. Similar steps can be followed for auto-assignment to roles.

Note

Mappings are based on what is sent in an assertion (claims, attributes). Every IdP has specific mappings; for example, Entra ID uses Object Ids, and Okta uses attributes. The following procedures are based on the most common protocols (OIDC and SAML) and include examples from common identity providers (Entra ID and Okta).

Depending on your IdP, the actual configuration steps may be slightly different than what is shown below. AtScale recommends cross referencing with external tooling and validating your assertions before mapping IdP groups to AtScale groups or roles.

Prerequisites

Before continuing, verify that you meet the following requirements:

Configure mappers for OIDC IdPs

To configure mappers for IdPs that use OIDC:

  1. In Design Center, open the main menu and select Security. The Identity Broker opens.

  2. Log in using your AtScale admin credentials.

  3. In the left-hand navigation, click Identity Providers, then click on your IdP.

  4. Go to the Mappers tab.

  5. Click Add mapper. A blank mapper appears.

  6. Complete the following fields:

    • Name: Enter a name for the mapper.
    • Sync mode override: Select a sync mode override. AtScale recommends using Force, which updates the user during every login.
    • Mapper type: Select the type of mapper you want to create. For example, if you want to map to groups, select Advanced Claim to Group. If you want to map to roles, select Advance Claim to Role.

  7. Add a claim:

    1. Click Add Claims.
    2. In the Key field, enter an appropriate group identifier. For example, group.
    3. In the Value field, enter the group identifier used by your IdP. For example, for Entra ID, this would be Object Id.

  8. In the Group field, select the AtScale group you want to map to.

  9. Click Save.

The mapper is added to the Identity Broker. You should repeat the steps above for every combination of claims (usually a single IdP group) you want to auto-map to an AtScale group/role.

Configure mappers for SAML IdPs

To configure mappers for IdPs that use SAML:

  1. In Design Center, open the main menu and select Security. The Identity Broker opens.

  2. Log in using your AtScale admin credentials.

  3. In the left-hand navigation, click Identity Providers, then click on your IdP.

  4. Go to the Mappers tab.

  5. Click Add mapper. A blank mapper appears.

  6. Complete the following fields:

    • Name: Enter a name for the mapper.
    • Sync mode override: Select a sync mode override. AtScale recommends using Force, which updates the user during every login.
    • Mapper type: Select the type of mapper you want to create. For example, if you want to map to groups, select Advanced Attribute to Group. If you want to map to roles, select Advanced Attribute to Role.

  7. Add an attribute:

    1. Click Add Attributes.
    2. In the Key field, enter an appropriate group identifier. For example, if you use Entra Id, this should be http://schemas.microsoft.com/ws/2008/06/identity/claims/groups.
    3. In the Value field, enter the group identifier used by your IdP. For example, for Entra ID, this would be Object Id.

  8. In the Group field, select the AtScale group you want to map to.

  9. Click Save.

The mapper is added to the Identity Broker. You should repeat the steps above for every combination of claims (usually a single IdP group) you want to auto-map to an AtScale group/role.

Additional information