Managing user groups using IdP

In the case of OIDC / SAML providers, user groups and assignments can be exclusively managed externally using the IdP. This means that user groups can only be added or modified by the IdP, and the assignment of users to groups can solely be performed through the IdP. However, you still retain the capability to assign policies to users and groups within Edge Flow Manager.

Ensure that you have configured the following parameters appropriately:

For OIDC:

efm.security.user.oidc.scopes
efm.security.user.oidc.groupAttribute

For more information, see Configuration of OpenID Connect SSO.

For SAML:

efm.security.user.saml.groupAttribute

For more information, see Configuration of SAML 2.0 SSO.

To enable Group Management by IdP, set the following properties in the efm.properties file:

efm.security.user.auth.groups.manager=EXTERNAL
efm.security.user.auth.groups.filter=.*

Where,

efm.security.user.auth.groups.manager
It indicates how user group management is handled: either internally or externally. When the value is set to EXTERNAL, user group management is handled by IdP. When the value is set to INTERNAL, Edge Flow Manager disregards any group information received from the IdP. The default value is INTERNAL.
efm.security.user.auth.groups.filter
Users might be assigned to multiple groups on the IdP side, but Edge Flow Manager may only need to consider a few of these groups. You can use a regular expression to define which groups should be registered in EFM. The regex allows you to specify a pattern, and only the groups that match the defined pattern will be registered in Edge Flow Manager.