Audience: Administrators
Overview
SAML Attributes are pieces of information associated with a user. SAML Attributes are sent from a user's Identity Provider, or IDP (i.e Entra ID), to the application they are trying to access (i.e. OrgChart) in the form of a SAML Attribute Assertion.
Admins can choose what SAML Attributes to send in the SAML Attribute Assertion. Some attributes are required for a user to login. However, some attributes are optional, and can be used to do the following:
-
Automatically assign OrgChart Access Groups based on a SAML Attribute value
-
Automatically update user information in the OrgChart User Info panel using information stored in your IDP.
The following article provides step-by-step instructions for configuring your Entra ID (formerly Azure Active Directory) SSO integration to send additional SAML Attributes for Access Group mapping, and User Info panel updates.
This article covers the following topics:
- Map Access Groups with an Entra ID Group Claim
- Map Access Groups with Entra ID App Roles
- Update OrgChart User Info with Additional Attributes
Important
Before you begin, ensure that you have a functioning Entra ID SSO integration, as well as at least the following Entra ID permissions:
-
Application Administrator
-
Cloud Application Administrator
-
Privileged Role Administrator
For information on setting up an Entra ID SSO integration, please reference the Entra ID SSO article.
Map Access Groups with an Entra ID Group Claim
Administrators can send a Group Claim in their SAML Attribute Assertion, in order to map users to Access Groups in OrgChart using:
-
Entra ID Security Groups
-
Entra ID Directory Roles (tenant-specific, not app specific)
Add a Group Claim to the SAML Assertion
1. Open the OrgChart SSO Application in Entra ID.
2. Click on the Single-Sign On option in the left side panel.
3. Scroll to the second section (Attributes and Claims), and then click on Edit.
4. Click on the + Add a Group Claim button, and then select which groups associated with the user should be sent in the SAML Attribute Assertion. For our purposes, select one of the following available options:
-
Security Groups - All security groups the the user is a member of.
-
Groups Assigned to the Application -Security groups assigned to the application that the user is a member of.
Note
Select this option only if you've assigned users to this application using security groups.
5. Click on the Source Attribute dropdown menu, and then select the Group ID option.
6. Click on Save
Find the Claim Name and IDs for the Attribute
1. Copy the Claim Name for the additional claim (added in steps 1-6 above), and then paste it in a separate document. You will need this information later.
2. Return to the Overview page of your Entra ID workspace.
3. Click on the Groups option in the left hand panel, and then search for each Group that you plan to map in OrgChart. Remember that these Groups must be Groups that will be sent in the SAML Assertion according to the Group Claim configuration completed in step 4.
4. Copy the Object ID for each Group that you plan to map in OrgChart, and then paste these IDs in a separate document. Ensure that you track which Object IDs are associated with each Group.
Map the Groups in OrgChart
Login to OrgChart and follow these steps to complete your setup:
1. Click on the Settings button in the bottom right corner, and then select the Account Settings option from the list.
2. Select the Authorization option from the top panel and scroll down to the SSO Configuration heading and click on the +Add SSO Configuration button.
3. Copy and paste the claim name associated with the Name SAML Attribute into the SAML Name Attribute text box.
4. Copy and paste the claim name associated with the email SAML Attribute into the SAML Email Attribute text box.
5. Copy and paste the Group Object Id in the SAML group Attribute
6. Click on Add group mapping button and then click on the Application security group dropdown menu, then select the OrgChart Access group that should be assigned to users associated with that Group Object ID.
7. Repeat steps 5-6 until all the desired Entra ID Security Groups are mapped to OrgChart Access Groups.
8 .Click on Save.
Map Access Groups with Entra ID App Roles
Administrators can map Access Groups using Entra ID app roles, which are application specific.
This option is preferrable for people who still want to use automatic Access Group assignment when:
-
Tenant wide security groups do not directly correlate with the desired group mapping
AND/OR
-
Modifying or adding additional tenant wide security groups is not possible.
Add App Roles
1. Open the OrgChart SSO Application in Entra ID.
2. Click on the Users and Groups option in the left hand panel.
3. Click on the Application Registration hyperlink to create app-roles for this application.
4. Click on the + Create App Role button.
5. Enter a display name (i.e. General Role) in the Display Name text box.
6. Select the Both (Users/Groups + Applications) radio button.
7. Enter the value (i.e General) that will appear in the SAML Attribute Assertion for users/groups assigned to this app role. Copy and paste the Role Value in a separate document. You will need this later.
8. Optionally, enter a description for users or groups assigned to this app role.
9. Check the Do you want to enable this app role checkbox, and then click on Apply.
10 .Repeat steps 4-9 above for each new app-role you would like to create.
Assign App Roles to Users/Groups
1. Re-open the OrgChart SSO application, and then click on the Users and Groups option in the left hand panel.
2. Click on the +Add user/group button, and then begin assigning groups, and the corresponding app roles, to the application. Members of these groups will emit the role value in the SAML Attribute Assertion.
3. Click on Assign.
4. Click on the +Add user/group button again, and then assign the individual users, and the corresponding app role, to the application.
Note
Individually assigned users will emit their individual app-role assignment in the SAML Attribute Assertion first, even if they belong to one of the groups that was previously assigned.
5. Click on Assign.
Add the Additional Attribute to the SAML Assertion
-
Click on the Single Sign-On tab in the left hand menu, and then click to edit the Attributes & Claims
-
Click on the +Add new claim button.
-
Enter a name for the claim (i.e. Role).
-
Click on the Attribute radio button, and then select user.assignedroles from the dropdown menu.
-
Click on Save.
Map the Roles in OrgChart
1. Click on the Settings button in the bottom right corner, and then select the Account Settings option from the list.
2. Select the Authorization option from the top panel and scroll down to the SSO Configuration heading and click on the +Add SSO Configuration button.
3. The SSO configuration panel is displayed.
4. Enter the name and email attribute information and then in the SAML group attribute text box enter the Role value.
5. Click on Add group mapping button and then click on the Application security group dropdown menu, then select the OrgChart Access group that should be assigned to users associated with that Role value.
6. Repeat the steps until all the desired Entra ID Assigned App Roles are mapped to OrgChart Access Groups.
7. Click on Save.
Update User Info with Additional Attributes
Administrators can auto-populate and update a user's User Info panel using additional SAML Attributes in Entra ID.
Add Additional Attributes to the SAML Assertion
Generally name and email are already included in your Entra ID SAML Assertion. If, you don't see the desired attribute listed in the Attributes & Claims section, follow these steps:
1. Open the OrgChart SSO application in Entra ID.
2. Click on the Single Sign-On tab in the left hand menu, and then click to edit the Attributes & Claims.
3. Click on the +Add new claim button.
4. Enter a name for the claim (i.e FullName).
5. Click on the Attribute radio button, and then select the source attribute you'd like to be emitted with this claim (i.e. user.displayname).
Find the Claim Name
In the Attributes & Claims section, locate the claim names associated with the attributes you'd like to use to update name and email in the OrgChart User Information panel. Copy and paste the full claim name into a separate document.
Map the Attributes in OrgChart
1. Click on the Settings button in the bottom right corner, and then select the Account Settings option from the list.
2. Select the Authorization option from the top panel and scroll down to the SSO Configuration heading and click on the +Add SSO Configuration button.
3. The SSO configuration panel is displayed.
4. Copy and paste the claim name associated with the email SAML Attribute into the SAML Email Attribute text box.
5. Copy and paste the claim name associated with the Name SAML Attribute into the SAML Name Attribute text box.
6. Click on Save. When a user signs into OrgChart via SSO, the user information panel is updated automatically.
Comments
0 comments
Please sign in to leave a comment.