When you enable Single Sign On (SSO) with Gtmhub, you determine who can log in to the account from the application assignments in your Identity provider. This helps you centralize application access management as well as deliver better security.

By default, with SSO enabled, you control who can access Gtmhub from your Identity provider, and you you assign user roles in your Gtmhub account. You can automate the role assignment based on your user group membership in the Identity Provider, thus centralizing the entire user management process. This article describes the behavior of automatically assigning roles based on IdP groups, and provides best practice instructions on setting it up in your account.

Prerequisites

Your Identity provider must must send an attribute in the named groups in the SAML assertion. The attribute value must be the names* of groups assigned to the user.

If your IdP supports it, it's a good practice to filter the list and send only the groups that are assigned to the application.

How it works

You configure groups to roles mapping rules in your Gtmhub account. Every time a user logs in we check the value of their groups attribute and whether this value matches any of the rules you've configured. When it does we will apply changes to the user roles accordingly.

Setting up

To set up automated role assignment rules follow these steps:

  1. Go to your Gtmhub account -> Settings

  2. Click on Single Sign On in the Configuration tab

  3. Click on the 3 dots in the upper right corner of your connection and select Roles mapping

    NOTE: If your account has SSO enabled, and you do not see a connection under Single Sign On, but you see this screen instead

    contact the Gtmhub Technical Support team to get this sorted out.

  4. Specify your Identity Provider group name on the left-hand side and select the corresponding Gtmhub role you'd like to assign members of that group to.

    Once ready click on Save AD mappings.

Default role mapping

By default, when a user is logging in to Gtmhub from an SSO connection, if they do not exist in the account they will be automatically created. If they do not match any automated role assignment rules, they will be assigned to the user role. You can change this behavior and specify a different default role for auto-provisioned SSO users. Contact the Gtmhub Technical Support team to request this.

Specifics

When you remove a user from a group in your IdP, Gtmhub will not remove the role. The automated role assignment rules you configure can only add new roles to a user.

When a user matches more than one rule, all matching rules are applied.

For example, if you configured that all members of the Everyone group get the user role in Gtmhub, and members of OKR Champs group get the admin role, if a user belongs to both groups in your IdP, they will get both user and admin roles in Gtmhub.

A user can be either view-only or something else.

If you assign a user the view-only role in Gtmhub, all other role memberships will be cleared. If you then assign that same user another Gtmhub role, the view-only role will be cleared. The automated role assignment works the same way.

For example:

  • If you have a rule that puts members of the Everyone group in the user role, and a member of the Everyone role is logging in, if they already have the view-only role in Gtmhub, nothing will change - they will remain a member of view-only

  • If a user logs in, and they match several rules, one of them putting them in view-only, and another putting them in other role, the other role will take precedence.

* NOTE: Some Identity providers, for example Azure AD do not send the name of the group via SMAL. They send its ID instead. Take this into consideration when configuring your groups to roles mapping in Gtmhub and use the group ID instead.

Did this answer your question?