If your Asset Bank is configured to integrate with SAML SSO or an LDAP server you will be able to map user groups to your internal (i.e. "remote") groups so that your users will be automatically assigned to the relevant Asset Bank groups when logging in.
How it works
When users are retrieved from the LDAP server Asset Bank will look at the 'memberOf' field of the user. This means that the group mapping feature only works with LDAP servers that support 'memberOf', for example Microsoft Active Directory. The memberOf field should contain the DNs of any groups that the user is a member of. Asset Bank then compares these with the DN information entered for any of its own groups. The user is automatically added to any groups that match.
When a user is authenticated via SAML SSO Asset Bank will retrieve the group parameter which has been mapped in the Identity Provider (please refer to the SAML options in the SSO knowledge base article) and automatically assign the user groups matching the 'Remote Group(s)' mapping.
Configuring group mappings
When adding or editing an Asset Bank group (Admin > Groups > "Group In Question" > ) you can specify the groups name or "DNs" of one or more remote groups in the 'Remote Group(s)' box.
To use multiple DNs in the 'Remote Group(s)' box, set the remote-group-mapping-delimiter setting in the ApplicationSettings.properties file (the default value is %%)
You can then use this character or string to delimit multiple groups name or DNs within a single 'Remote Group(s)' box.
To use wildcard matching set the remote-group-mapping-wildcard setting in the ApplicationSettings.properties file (the default value is *).
You can then use this character or string to act as a wildcard in the 'Remote Group(s)' box.
When using SAML SSO you would also need to enable the following setting in order to update the group assignment every time a user logs in via SSO:
Remote group mapping in Asset Bank
- Log in to Asset Bank as an admin user, navigate to Admin > Groups
- Select edit for the group you want to map to your SSO groups
- In the Remote Group (s) field enter the relevant value (group name, full LDAP CN, ec.) used for the associated group in your SSO provider and click save.
If this process is not working as expected then try the following:
- Check that you have entered the full group name or DN (Distinguished Name) of the LDAP group when editing the Asset Bank group.
- Check that the group field (e.g. 'memberOf') for a sample user does indeed contain the groups you expect. (The group in question should show a 'member' entry for each user)
It is useful to check the above values using a Java LDAP browser (such as JXplorer) or the SAML authentication response on the Asset Bank server.