Comparison of user groups

If you are using federations and you have user groups on the credential provider side, you can configure group mappings to integrate them into Servercore user groups.

Principle of operation

Users in the mapped credential provider group will be added to the Servercore group automatically the first time they authenticate. Users will be assigned the permissions that you specify for the Servercore user group when setting up group mapping.

If permissions or user data have changed on the credential provider side, the changes will be applied to Servercore when re-authenticating.

You can map a single Servercore user group to a single credential provider group. You cannot map a Servercore group to multiple credential providers or vice versa.

Customize group mapping

1. Create user groups.
2. Add group mapping.
3. Configure mappings on the credential provider side.
4. Add users to the group on the credential provider side.

1. Create user groups

1. Make sure you have a user group on the credential provider side.

2. If you already have a user group on the Servercore side and you want to use it for mapping, you do not need to create a new group.If there is no group or you want to use a new one:

   2.1 Add a user group.

   2.2 Assign permissions to the user group.

2. Add group mapping

1. In the control panel, on the top menu, click Account.

2. Go to the Federations section.

3. Open the Federation page → Group Matching tab.

4. Click Match Groups.

5. In the Related Groups block:

   5.1 Select the Servercore Group you created in step 1 or earlier.

   5.2 Enter the name of the credential provider group.

6. Optional: To add another group mapping, click Add Mapping and follow step 5.

7. Click Save Settings.

3. Configure mappings on the credential provider side

Keycloak

1. In the Keycloak control panel, log in to the Administration Console.

2. Go to Client scopes → Setup tab.

3. Select the Client scope, which is specified in the format <client_id>-dedicated. Here <client_id> is the URL you specified when configuring the SAML application in the Client ID field.

4. Configure user group mapping:

   4.1 On the Mappers tab, click Add mapper → By configuration → Group list.

   4.2 In the Name field, enter a name for the mapping.

   4.3 In the Group attribute names field, type groups.

   4.4 Turn on the Single Group Attribute toggle switch.

   4.5. Turn off the Full group path toggle switch.

   4.6 Click Save.

5. Configure mapping of user email addresses:

   5.1 On the Mappers tab, click Add mapper → From predefined mappers → x500 email.

   5.2 Open the x500 email mapping page.

   5.3 In the SAML Attribute Name field, enter email.

   5.4 Click Save.

6. Configure user name mapping:

   6.1 On the Mappers tab, click Add mapper → From predefined mappers → x500 givenName.

   6.2 Open the x500 givenName mapping page.

   6.3 In the SAML Attribute Name field, enter firstName.

   6.4 Click Save.

7. Customize the mapping of user last names:

   7.1 On the Mappers tab, click Add mapper → From predefined mappers → x500 lastName.

   7.2 Open the x500 lastName mapping page.

   7.3 In the SAML Attribute Name field, enter lastName.

   7.4 Click Save.

AD FS

1. On the AD FS server, open Server Manager.

2. From the Tools menu, select AD FS Management.

3. In the Actions box, select Relying Party Trust.

4. Right-click the Relying Party Trust that you added when setting up the trust relationship when creating the federation and select Edit Claim Issuance Policy.

5. Click Add Rule.

6. In the Choose rule type step:

   6.1 In the Claim rule template field, select Send LDAP Attributes as Claims.

   6.2 Optional: enter a description.

   6.3 Press Next.

7. In the Configure Claim Rule step:

   7.1 In the Claim rule name field, enter a name for the match.

   7.2. In the Attribute Store field, select Active Directory.

   7.3 In the Mapping of LDAP attributes to outgoing claim types block:

   • In the column on the left, select Token-Groups - Unqualified Names;
   • enter groups in the column on the right.

   7.4 Press Finish.

4. Add users to the group on the credential provider side

Keycloak

1. In the Keycloak control panel, go to the Users section.
2. Open the user page → Groups tab.
3. Click Join Group.
4. Check the group to which you want to add the user.

AD FS

1. On the AD FS server, open Active Directory Users and Computers.
2. Select the user you want to add to the group.
3. On the right side of the Actions section, select Properties.
4. Open the Member Of tab.
5. Click Add.
6. Select the group to which to add the user.
7. Press OK.

Disable group mapping

After disabling group mapping, users will no longer be able to authenticate to the dashboard by SSO.

You can re-enable group mapping at any time.

1. In the control panel, on the top menu, click Account.
2. Go to the Federations section.
3. Open the Federation page → Group Matching tab.
4. In the Settings Enabled block, turn off the toggle switch.

Delete group mapping

After group mapping is removed, users in the credential provider group will no longer be able to authenticate to the dashboard by SSO.

If users are added to another Servercore group for which a mapping is configured, they will still have access within that mapping.

1. In the control panel, on the top menu, click Account.
2. Go to the Federations section.
3. Open the Federation page → Group Matching tab.
4. In the Matched Groups block, in the mapping row, click .
5. Click Save Settings.