Audience: Administrators
Overview
SAML Attributes are pieces of information associated with a user. SAML Attributes are sent from a user's Identity Provider, or IDP (i.e Okta), to the application they are trying to access (i.e. OrgChart) in the form of a SAML Attribute Assertion.
Admins can choose what SAML Attributes to send in the SAML Attribute Assertion. Some attributes are required for a user to login. However, some attributes are optional, and can be used to do the following:
-
Map access groups with Okta Group claim - Automatically assign OrgChart Access Groups based on a SAML Attribute value
-
Update user info with additional attributes - Automatically update user information in the OrgChart User Info panel using information stored in your IDP.
The following article provides step-by-step instructions for configuring your Okta SSO Integration to send additional SAML Attributes for Access Group mapping, and User Info panel updates.
Important
Before you begin, ensure that you a functioning Okta SSO Integration.
Map Access Groups with an Okta Group Claim
Administrators can send a Group Claim in their SAML Attribute Assertion, in order to map users to Access Groups in OrgChart using Okta Groups.
Add a Group Claim to the SAML Assertion
1.In the Okta Administrator Portal, open the OrgChart application.
2.On the General tab, click on the Edit button associated with the SAML Settings section.
3. Click on Next.
4. Scroll to the Group Attribute Statements (optional) section.
5. Enter the name of the attribute you want to send to OrgChart for Group Mapping into the Name text box. If you want to send Okta security groups (most common), then type Group in the Name text box.
6. Click on the Filter dropdown menu, and then select a comparison value. For example, if you'd like to send all Okta security groups that start with 'OrgChart -', configure the Group Attribute Statement as seen below:
Note
Work with your Okta System Administrator for help in defining more complex filters.
7. Click on Next, and then click on Finish.
Map the Groups in OrgChart
1. Click on the Settings button in the bottom right corner, and then select the Account Settings option from the list.
2. Select the Authorization option from the top panel and scroll down to the SSO Configuration heading and click on the +Add SSO Configuration button.
3. The SSO Configuration panel is displayed.
4. Enter the name for the Group Attribute (selected in Step 5 above)
5. Click on the Add group mapping button (to the end of the SAML Attributes Handling header), and then enter an Okta Group name that will be sent in the SAML Assertion (i.e OrgChart - Managers).
6. Click on the Application Security Group dropdown menu, and then select the OrgChart Access Group that should be assigned to users associated with that Okta Group.
7. Repeat steps until all the desired Okta Groups are mapped to OrgChart Access Groups.
8. Click on Save.
Update User Info with Additional Attributes
Administrators can auto-populate and update a user's User Info panel using additional SAML Attributes in Okta.
Add Additional Attributes to the SAML Assertion
1. In the Okta Administrator Portal, open the OrgChart application.
2. On the General tab, click on the Edit button associated with the SAML Settings section.
3. Click on Next.
4. Scroll to the Attribute Statements (optional) section.
5. Enter the name of the attribute (i.e. Name) you want to send to OrgChart to update user information in the Name text box.
6. Click on the Value dropdown menu, and then select which Okta value (i.e. user.fullName) should be sent with this SAML Attribute.
7. Optionally, click on the Add Another button, to send an additional attribute (i.e. Email) that you can use to update user information.
8. Click on Next, and then click on Finish.
Map the Attributes in OrgChart
Login to OrgChart and follow these steps to complete your setup:
1. Click on the Settings button in the bottom right corner, and then select the Account Settings option from the list.
2. Select the Authorization option from the top panel and scroll down to the SSO Configuration heading and click on the +Add SSO Configuration button.
3. The SSO Configuration panel is displayed.
4. Enter the name of the attribute you are sending to populate Name (selected in step 5 above) in the user information panel in the SAML Name Attribute text box.
5. Enter the name of the attribute you are sending to populate Email in the user information panel in the SAML Email Attribute text box.
6. Click on Save. When a user signs into OrgChart via SSO, the user information panel is updated automatically.
See the sample SAML Assertion and the updated user info panel below:
Comments
0 comments
Please sign in to leave a comment.