User Group Mapping is a quick and efficient way to place users into groups when they log in using an SSO integration. With this capability, Tovuti "searches" a user's SSO profile and, depending on the attributes found, enrolls the user into the corresponding User Group.
Before beginning, it is highly recommended to disable User Group Mapping while configuring. When ready to begin testing or go live, it can be enabled.
Go to Configuration > click Single Sign-On > select an existing SSO integration or click New
For information on configuring a new SSO integration view the Help Center article here.
Go to the User Group Mapping tab. Each field will be described below the image.
1. Update User Groups on Every Login - designate if a user's User Group information will be updated only the first time they log in or every subsequent login.
*Note: It is recommended to disable this toggle while testing and enable it when ready to go live.
2. Default User Group - the primary group this user will belong to.
*Note: Default should remain "Registered." "Registered" is a required User Group without which a user can successfully log in.
3. Group Attribute Name - the attribute that maps the user to these groups. Tovuti will search for the Group Attribute Name or ID when the user logs in using SSO.
The group attribute name is found in the SSO's directory.
*Note: the attribute above is for groups and not profile fields. For information on profile mapping, see the Help Center article here.
4. Add another User Group - press the green '+' to add additional user groups that users will be added to when they log in.
5. Choose an additional User Group
*Note: Utilizing SSO User Group Mapping for User Group Management overrides User Groups assigned in the User Manager. If you plan to use this feature, make sure to include roles such as "Sub-Administrator" and "Site Administrator" in this configuration.
If not included, Tovuti will judge them as "unnecessary" according to the mapping programming, override the User Manager, and a user logging in with SSO will be removed from these groups. This includes admin user groups.
6. IDP Group/Role Identifier - link or role name that maps this group.
*Note: If the corresponding IDs or attributes are not found when logging in, the user will not be added to the User Group.