# Configure Role provisioning from SAML attributes

SSO role provisioning allows StatusPal to automatically assign roles to your users accessing your status pages and StatusPal admin console by reading a SAML property in your assertion named `groups`.

{% hint style="warning" %}
**WARNING**: Enabling SSO Role Provisioning on an active organization can be risky. If you fail to send the expected `groups` attribute in your SAML assertion, then the default role will be assigned, which is "viewer" member.\
\
This could cause disruption in your StatusPal organization, downgrading existing owner and admin users to viewers.
{% endhint %}

### Configure your IdP (SSO provider) to send the `groups` attribute

The first step to enable SAML role provisioning is to configure your IdP to send the groups attribute in its SAML request to StatusPal.

As an example, this can be enabled in **Azure AD** by visiting the Single Sign-On page within the enterprise application that you should have configured previously for StatusPal.

Once on your Single Sign-On page, click on the Edit button under the `Attributes & Claims` section and click on "Add a group claim," select "All groups" (or whatever suits you), and select the "Source attribute," by default is "Group ID."

<figure><img src="/files/oKCMU9TA1iWC5S73zSt6" alt="Status page SSO configuration for role mappings on Azure AD "><figcaption><p>Example Azure AD groups claim configuration </p></figcaption></figure>

After clicking on Save, the `groups` attribute should be correctly sent as an array attribute with the list of group IDs the authenticated user has assigned.

If you're working on an active organization, we suggest you create a separate organization just for testing this feature and use something like [SAML Chrome Panel](https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace?hl=en) to inspect your SAML requests and ensure that the `groups` attribute is being correctly sent.

<figure><img src="/files/vGthCN3tP4fDYHpoucBm" alt="Using Chrome SAML Panel to debug SSO on status page"><figcaption><p>Example of SAML Chrome Panel showing the "groups" attribute correctly included.</p></figcaption></figure>

### Configure your **SSO Role Mappings in StatusPal**

Once you have made sure your SSO provider is sending the `groups` attribute successfully, the next step is to configure your SSO role mappings in StatusPal.

Access your SSO Role Mapping by clicking on the link at the bottom of your Security page:

<figure><img src="/files/7hPdKsFZumMGf8oBl2Tz" alt="Single Sign-On Role Mappings for status pages" width="563"><figcaption></figcaption></figure>

Once on your SSO Role Mappings page, click on <mark style="background-color:green;">New SSO Role Mapping,</mark> and the following fields are available:

* **SAML Group Name/ID**: The Group ID or name that, when found on your SAML assertion, should trigger this mapping rule.&#x20;

{% hint style="info" %}
Auth0 only supports SAML Group names
{% endhint %}

* **Role**: What role should be assigned to the StatusPal users that are part of this SSO group?
* **Status page**: Should this user have access to one specific status page? Or to all status pages? If you select "All", an organization-level membership will be used If you select a status page, a status page membership will be used instead.

Make sure to create a SSO role mapping for every role in StatusPal: owner, admin, editor, viewer. Once you add at least one role mapping, any user authenticating via SSO without a matching group will be assigned the lowest StatusPal role: viewer, which can only visit and subscribe to status pages.

Once you have configured a role mapping for each StatusPal role, enable role mapping by checking the "Parse SSO roles from SAML attributes" option in the <mark style="background-color:green;">Security > Single Sign-On</mark> page.

<figure><img src="/files/n6lORAAcCVuxfbkraard" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
If you struggle to get your roles to be properly assigned, follow [**this guide**](https://docs.statuspal.io/v/guides/platform/debug-saml-with-saml-chrome-panel-extension) to send us debugging information and send it to <support@statuspal.io> so we can assist you.&#x20;
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.statuspal.io/security/single-sign-on/configure-role-provisioning-from-saml-attributes.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.