Automated Role Assignment via Single-Sign-On

How to Configure SSO to contain IDP driven company roles that can be mapped to One Model roles.

Core to One Model’s vision is to automate everything and let you focus on deploying and leveraging people analytics data to drive business outcomes.  To do this you need to get insights into the hands of decision makers, which involves role based security.  One Model has created the world’s leading people analytics role based permission framework and we have further extended this framework to allow for the automatic assignment of One Model roles based on your company’s identity provider (IDP) as a part of Single-Sign-On (SSO).  

Overview of how it works

  1. Customers can send through a new SAML property, when a user SSOs into One Model, to specify a customer role defined within their own IDP (e.g. Active Directory).  Examples of roles could be Executive, HRBP, LineManager etc.

  2. Customer admins manage their role mappings within One Model admin.

  3. When the user logs into One Model, the application automatically assigns the associated Application Access Roles and Data Access Roles for that user based on their company defined role mapping.

The Technical Details

To add the role definition to your company SSO configuration your IT team can simply add the additional SAML attribute for ‘roleId’.  

Below is an example showing attribute values for one role - Executive and sample data that would need to be changed to be specific for your particular SSO and IDP configuration:

<saml2:Attribute Name="roleId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"          
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Executive
</saml2:AttributeValue>
</saml2:Attribute>

Below is an example showing attribute values for two roles - Executive and Finance and sample data that would need to be changed to be specific for your particular SSO and IDP configuration:

<saml2:Attribute Name="roleId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"          
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Executive
</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Finance
</saml2:AttributeValue>
</saml2:Attribute>

You can make changes to the SAML attribute to send through a single role or add additional Attribute Values for additional roles.

Troubleshooting: 

If you have followed all of the steps, including the setup steps for your specific system, eg. Google, Microsoft etc, check that the <saml2:Attribute Name="roleId" does not include any "http:" information and strictly contains only the role Id. 
For Example:
<saml2:Attribute Name="finance" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:unspecified">
NOT

<saml2:Attribute Name="http://www.w3.org/2001/XMLSchema.finance" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:unspecified">

One Model Configuration Steps

To turn on the functionality, open the One Model Company Admin page and go to the SAML Integration section. Below is a screenshot of the new settings.

 

  1. Stepping through the settings, there are three radio buttons at the start:

  • The first option is to not use this feature.

  • The second option is to turn on this new feature using default settings.

 

  • The third option is for customers that have to use a SAML attribute tag other than ‘roleId, providing an option to enter a custom tag definition.

 


2. In order for company defined roles included in SSO to trigger a One Model role assignment, the roles need to be mapped.  When you enable the feature you can map the roles defined by your company with one or more One Model roles. If a user is assigned a company role that is not defined in the mapping table that role will be populated in the table awaiting mapping, but the user will not have any One Model permissions until that mapping has been performed.

3. To configure the mapping between Customer Roles and One Model roles click the ‘Create New’ link or the ‘Edit’ link to modify and existing mapping.  Then enter the name of the Customer Role that will be sent via SSO and check the One Model Application Access and Data Access Roles to be associated with this Company defined role.

 

After pressing the ‘Done’ button this is how the table looks:

 

You can then continue to add more Company roles and One Model mappings as additional lines in the table.

4. Users that have their login details automatically created for them via SSO will inherit the roles defined in the preceding steps.  If you have some particular users that require specially crafted roles not defined by the Company roles, Individual users can be exempt from the using Customer Roles mapped on the User Admin page. Exempt roles will be allowed to log in via the existing SSO or manual username and password options.  Otherwise, to leverage the new capability selected the first two checkboxes as per the screenshot below.

 

NB: To be non-disruptive in enabling this new capability and allowing customers to phase in the implementation of the new Company defined role configuration, a company that has existing users will retain their current User level settings.  

Action required:  To enable the new capability for existing users you will need to check the box (per the above screenshot) for those users.  Please contact One Model support for guidance and assistance configuring this for your company.

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.