Associating SSO groups with Brightspot roles
In most scenarios, single sign-on servers associate users with groups. Similarly, most publishers associate Brightspot users with roles. As a best practice, you should associate the SSO groups with the corresponding Brightspot roles. This practice ensures that when a user successfully logs in through single sign-on, Brightspot associates the user with the correct role.
Caution
If a group on the SSO server is not associated with a Brightspot role, all users associated with that group are denied login to Brightspot (even if they pass authentication on the SSO server). Ensure all groups on the SSO server are appropriately associated with Brightspot roles.
Warning
If you do not configure any group-role associations, then any user passing SSO authentication is granted the default role configured in Global Settings > Main > Default Role. If no such default role is configured, then the user is granted the administrator role with full permissions. Ensure you configure at least one group-role association.
To associate SSO groups with Brightspot roles:
- Click > Admin > Sites & Settings.
- Under Legacy Settings, click Saml.
- In the Name field, enter a name for this setting, or retain Saml as the default. (The URL field is not used.)
- Under Groups to Roles, do the following:
Click .
- In the Group field, enter a group existing on the SSO server.
- In the Role field, select an existing Brightspot role.
- Repeat steps a–c to associate additional groups to roles.
- Click Save.
Referring to the previous illustration, a user signing on through SSO and who has the group ssoBrightspotEditors
receives all the permissions in Brightspot associated with the role editor
.
Previous Topic
Single sign-on and SAML
Next Topic
Integrating single sign-on