search
StatusPal.ioBlog

Configure Role provisioning from SAML attributes

Automatically assign roles and status page permissions based on your Single Sign-On SAML attributes to your users accessing your status pages & StatusPal admin console.

SSO role provisioning allows StatusPal to automatically assign roles to your users accessing your status pages and StatusPal admin console by reading a SAML property in your assertion named groups.

circle-exclamation

WARNING: Enabling SSO Role Provisioning on an active organization can be risky. If you fail to send the expected groups attribute in your SAML assertion, then the default role will be assigned, which is "viewer" member. This could cause disruption in your StatusPal organization, downgrading existing owner and admin users to viewers.

hashtag
Configure your IdP (SSO provider) to send the groups attribute

The first step to enable SAML role provisioning is to configure your IdP to send the groups attribute in its SAML request to StatusPal.

As an example, this can be enabled in Azure AD by visiting the Single Sign-On page within the enterprise application that you should have configured previously for StatusPal.

Once on your Single Sign-On page, click on the Edit button under the Attributes & Claims section and click on "Add a group claim," select "All groups" (or whatever suits you), and select the "Source attribute," by default is "Group ID."

Status page SSO configuration for role mappings on Azure AD
Example Azure AD groups claim configuration

After clicking on Save, the groups attribute should be correctly sent as an array attribute with the list of group IDs the authenticated user has assigned.

If you're working on an active organization, we suggest you create a separate organization just for testing this feature and use something like SAML Chrome Panelarrow-up-right to inspect your SAML requests and ensure that the groups attribute is being correctly sent.

Using Chrome SAML Panel to debug SSO on status page
Example of SAML Chrome Panel showing the "groups" attribute correctly included.

hashtag
Configure your SSO Role Mappings in StatusPal

Once you have made sure your SSO provider is sending the groups attribute successfully, the next step is to configure your SSO role mappings in StatusPal.

Access your SSO Role Mapping by clicking on the link at the bottom of your Security page:

Single Sign-On Role Mappings for status pages

Once on your SSO Role Mappings page, click on New SSO Role Mapping, and the following fields are available:

  • SAML Group Name/ID: The Group ID or name that, when found on your SAML assertion, should trigger this mapping rule.

circle-info

Auth0 only supports SAML Group names

  • Role: What role should be assigned to the StatusPal users that are part of this SSO group?

  • Status page: Should this user have access to one specific status page? Or to all status pages? If you select "All", an organization-level membership will be used If you select a status page, a status page membership will be used instead.

Make sure to create a SSO role mapping for every role in StatusPal: owner, admin, editor, viewer. Once you add at least one role mapping, any user authenticating via SSO without a matching group will be assigned the lowest StatusPal role: viewer, which can only visit and subscribe to status pages.

Once you have configured a role mapping for each StatusPal role, enable role mapping by checking the "Parse SSO roles from SAML attributes" option in the Security > Single Sign-On page.

circle-info

If you struggle to get your roles to be properly assigned, follow this guidearrow-up-right to send us debugging information and send it to [email protected]envelope so we can assist you.

PreviousSave your Recovery CodesNextConfigure role provisioning for Okta

Last updated