Passing Roles over SSO - Adding and/or Replacing roles.

Unknown
Unknown
edited December 2022 in Support Agents

I am putting this here while it is fresh in my mind because I just did the research for a customer and I know how confusing this issue is.

When you pass Roles over SSO, the default behaviour is: if you pass a Role that exists on our system, that Role will be assigned and any other Roles that the user has will be removed. If you assign other Roles manually from the Dashboard to the user, they will be removed the next time the user logs in and replaced by the Role passed over SSO. You are controlling the Roles entirely from the Identity Provider.

If pass Roles that don't exist on our system, the default "Member" Role will be assigned the first time the user connects and then you can assign any other Roles manually from the Dashboard and they will remain when the user logs back in. In other words, if you are passing Roles that do not exist on our system, it is as though you are not passing Roles at all. You are controlling the Roles entirely from our Dashboard.

But there is a config setting that will allow you to control some Roles from the Identity Provider and some from the Dashboard. That is:

"Garden": {
    "SSO": {
        "roleSync": {
             ["sso"]
        }
    }
}

When you have added this setting, what you are telling our system is that Roles being passed over SSO should be added to the existing Roles, and that existing Roles should not be removed. In fact, the Roles you pass over will only be added. They too will not be removed, even if you revoke that Role on your Identity Provider. If you need to add/remove/preserve some Roles in the Dashboard and add/remove some Roles over SSO you can. How? Read on.

When you put the roleSync setting into the config, a new toggle will appear on all Roles in the Role Edit panel in the Dashboard:

Screen Shot 2022-12-02 at 11.11.11 AM.png

Toggle this to ON for the Roles that you want to be added and removed over SSO while preserving any Roles that are assigned manually in the Dashboard. In other words, toggling this on for a Role will give control over this Role, and only this Role, to the Identity Provider.

Categories