/
Set group mapping
Document toolboxDocument toolbox

Set group mapping

Owned by Pavel Novák
Feb 06, 2025
2 min read

For individual user groups, automatic mapping can be configured to ensure that remote users are automatically assigned (mapped) to groups based on information from the remote user source (AD/ADFS/OIDC).

(For local users, who are manually created by an administrator or via API, group membership must also be assigned manually by the administrator or via API.)

When automatic group mapping is used, default group settings are ignored, see: Default permissions of new users.

The following form is used to configure automatic mapping for a specific group in the application:

image-20250206-165758.png

This mapping configuration consists of rules that define which users from which remote source should be automatically mapped to the group.

Existing rules in this list can be edited or deleted. New rules can be created using the "Add" button above the list, which opens the following dialog:

image-20250206-165940.png

When creating a new mapping rule, the following parameters must be specified:

Remote Directory

Select the remote user source for which this mapping rule applies. The options include:

  • Active Directory – Traditional connection to AD via LDAP.

  • ADFS – Connection to AD using a modern SSO portal.

  • Specific OIDC source – Connection to a modern OpenID Connect-compatible source (e.g., Google, Microsoft Azure, etc.).

The remote directory should already be fully functional, correctly configured, and tested in the application before using mapping.

Remote Attribute

Specifies the attribute in the remote directory that contains the group information for mapping. The typical attributes for each remote source are:

  • Active Directory: The attribute that determines group membership is usually "memberOf" and so it is recommended to use this.

  • ADFS: The attribute that determines group membership is usually "group" and so it is recommended to use this.

  • OIDC: The attribute depends on the specific OIDC source. For example, in Microsoft Entra (Azure AD), the attribute is "groups" by default.

Remote Group

Specifies the exact remote group that will be searched for within the remote attribute.

  • For AD and ADFS, this is typically a distinguished name (DN) format, such as: "CN=sofie-default,OU=Test,DC=ad,DC=sonpo,DC=cz".

  • For OIDC, the format depends on the specific source. In Microsoft Entra (Azure AD), for example, groups are identified by UUID, such as: "a46edf67-5c31-4527-b63e-56cbe6dd66a5".

Related content