Skip to main content
Once your identity provider is created, you will now have to manage the identity provider role mappings. When the user will login, they will be assigned to pads4 roles based on the following identity provider user groups to pads4 role mapping you will configure.

1. Configure mappings

In order to configure these mappings:
  • On your newly created identity provider, click on “Identity mappings”
Role Mapping1
  • On the current “Role mappings” tab, you will click on “New” to create a new role mapping relation
Role Mapping2
  • On the role mapping form, you will have to fill two information
    • The SSO provider group – which relates to the user group claim that you configured on the external identity provider
    • The PADS4 roles – which determine the roles assigned to a user based on the external identity provider group they belong to
Role Mapping3
  • Select a SSO Provider for your role mapping
    • If the SSO Provider group you expect is not yet created, you can click on the “New SSO Group” button to add another group in the list
Role Mapping4
  • The SSO Group Name is only used here to remember what is the identity of the group you created
  • The SSO Group id should correspond to the group claim value that you did set up on the external identity provider claims configuration
    • By default, the group claim value is :
      • The user group id for Azure
      • The user group name for Okta
Once this SSO group is filled, click on “Create” to save the group and select the group on your role mapping creation form Role Mapping5
  • Select roles on PADS4
Here you will have to select the roles that will be assigned to the user if the user is a member of the SSO group provided If a role is missing, you can clean on the “New role” button to create a new role and select it right after. Role Mapping6
  • Then click on the “Create” button save the role mapping.
  • This process has to be repeated as much as you want to specify different external identity user group that you want to be allowed to the application.
If a user from your external identity provider is a member of group that is unknown from the role mapping table below, this user will have no rights on the application by default

2. Update identity provider claims (optional)

If you are creating your identity provider from a custom SAML 2.0 external identity provider or if you want to extend or update your claims attributes, you might want to edit the claims mapping on the pads4 identity provider you created. In order to update those claims, you will need to:
  • On your newly created identity provider, click on “Identity mappings”
Role Mapping7
  • Then switch to the “Claims” tab.
If you created your identity provider from Azure or Okta, you might find here some default claims mapping that you can modify if required
Role Mapping8
  • Here you can either create a new claim or update an existing one, If you create a new claim, you will have to fill in the following information
    • The claim name – which relates to the claim name that will be retrieved on the SAML response
    • The local attribute – which determine the property that will be filled in with the claim value when the pads user will be created
Role Mapping9
  • The local attribute can only be chosen on a list of determined pads4 user properties listed below
Local attributeDescription
GroupIdsRelates to the group ids retrieved for the role mapping association logic
FirstNameRelates to the first name property of the PADS4 user
SIDRelates the last name property of the PADS4 user
EmailAddressRelates to a unique key that is the link between the user in the external identity provider and the user in PADS
NameRelates the email property of the PADS4 user
DisplayNameRelates the login property of the PADS4 user
NFCRelates the NFC property of the PADS4 user