When you configure your Devo domain to use the SAML or OpenID authentication methods, you can authorize roles created in the chosen identity provider (IDP) by mapping them to Devo roles defined in your domain. You can map multiple Devo roles to a single user role defined in your external identity provider.
You can access the Role mapping area in Administration → Roles → IDP role mapping. The screen is divided into two different areas: the external roles defined are shown in the left part, and the right part shows all the Devo roles available in your domain. Learn below how to map and edit them.
To activate the IDP role mapping option, you must first access Preferences → Domain preferences → Authentication and enable the SAML or OpenID authentication methods.
Define a new external role
- First, define the required roles in your IDP. The process is different according to the IDP you use, so please check its product documentation.
- In the Devo Platform, go to Administration → Roles → IDP role mapping.
Click Create in the External roles area. Here's where you have to define the roles you created in your IDP and want to map with existing roles in your Devo domain. You must enter the following information:
Enter the name of the group/role created in your IDP. Note that the name must be exactly the same for the process to work. For example, if you created a group in your IDP and named it groups, that's the name you must enter in this field.
Group attribute statement
Note that the group attribute statement must be set to groups to make the role mapping work.
Enter an optional description of the role created.
Choose the authentication methods
You must choose the authentication method used (SAML, OpenID or both). Choosing at least one is mandatory. Note that the authentication method must be activated in your Devo domain to appear on this list.
Select the Devo roles to map to this external role
Choose the Devo role(s) to which you want to map the external role from the available ones in your domain. You can finish this process without selecting any Devo role and choose them later in the Devo roles area.
- Click Apply.
The newly created role will appear in the External roles area.
Manage your external roles
You can easily edit and delete external roles created in your domain in the External roles area. Any time you perform any modification, you must click the Save changes button before leaving the area.
If you disable an authentication method used in one of the defined external roles (SAML or OpenID), the roles assigned to that method will no longer appear in the External roles list. Activate the authentication method to see them again. Learn more in User authentication.
Edit an external role
To edit the name and description of an external role defined in your domain, hover over them and click the pencil icon that appears.
Delete an external role
To delete an external role, check the box next to it and click the X icon that appears at the top of the roles. To delete all your roles at once, check the box next to the search box and click the X icon.
Edit the Devo roles mapped to an external role
The Devo roles linked to a defined external role appear listed under the name and description of the external role. To unlink them from the external role, simply click the X icon next to each of them. Click the X at the right end of the dropdown box to delete all the roles assigned.
To add new Devo roles to an external role, you can open the dropdown list in the external role and select the Devo roles you want to add from the available ones.
You can also add Devo roles to a set of external roles or to all of them at once by checking the corresponding boxes and clicking this icon.
Note that if you add the Admin role to an external role along with any other roles, only the Admin role will be assigned. This is because the Admin role cannot be combined with any other roles in the Devo application. Learn more in Users and roles.
Edit the external roles mapped to a Devo role
The roles available in your Devo domain appear at the right side of the screen, in the Devo roles area. Click this iconnext to the roles to see the external roles linked to it. To unlink them from the Devo role, simply click the X icon next to each of them. Click the X at the right end of the dropdown box to delete all the roles assigned.
To add new external roles to a Devo role, click the icon, open the dropdown list in the Devo role and select the external roles you want to add from the available ones.
In case you don't remember the permissions assigned to a specific role in your domain, you can click its name in the Devo roles area to see its details and permissions/resources assigned. You can also view and edit the external roles assigned to a Devo role in this view.