Managing user groups using IdP

Learn how to enable user group management through your Identity Provider (IdP).

In the case of OIDC / SAML providers, user groups and assignments can be exclusively managed externally using the IdP. This means that user groups can only be added or modified by the IdP, and the assignment of users to groups can solely be performed through the IdP. However, you still retain the capability to assign policies to users and groups within Edge Flow Manager (EFM).
Ensure that you have configured the following parameters appropriately:
For OIDC:
  • efm.security.user.oidc.scopes
  • efm.security.user.oidc.groupAttribute

For more information, see Configuration of OpenID Connect SSO.

For SAML:
  • efm.security.user.saml.groupAttribute

For more information, see Configuration of SAML 2.0 SSO.

Steps

To enable Group Management by IdP, set the following properties in the efm.properties file:
efm.security.user.auth.groups.manager=EXTERNAL
efm.security.user.auth.groups.filter=.*
Where,
  • efm.security.user.auth.groups.manager

    Indicates how user group management is handled: either internally or externally. When the value is set to EXTERNAL, user group management is handled by IdP. When the value is set to INTERNAL, EFM disregards any group information received from the IdP. The default value is INTERNAL.

  • efm.security.user.auth.groups.filter

    Users might be assigned to multiple groups on the IdP side, but EFM may only need to consider a few of these groups. You can use a regular expression to define which groups should be registered in EFM. The regex allows you to specify a pattern, and only the groups that match the defined pattern will be registered in EFM.