How to assign learners to teams via the SSO feature
Understanding Team Mapping
Team assignment via SSO automatically connects a user’s info to their assigned team. A team is a group of users from your organization that will be assigned to the same training scenarios. Learn more about teams here.
Using SSO with Team Mapping will require minimal effort to configure/implement and does not require new user accounts to be created before they sign in - they will be provisioned the first time they sign in and added to the appropriate Portal teams.
Note: All Learners must be assigned to a team. Because of this, you'll need to create a Team before you add learners.
- If team mapping is enabled, when users sign in to Mursion for the first time, their account will be created and they will be automatically assigned to teams based on the team mapping rules in the Configuration.
Account Owners will not need to edit or create learner accounts in this case. - If team mapping is NOT enabled, when users sign in to Mursion for the first time, their account will be created, but they will not be automatically assigned to teams.
A learner must be assigned to a team to access Mursion scenarios, meaning the account owner would have to manually assign the learner to a team before the learner can actively use Mursion.
Alternatively, the account owner can create learner accounts manually and assign them to teams in advance. When the learner authenticates through SSO for the first time, they will have access to the team-assigned content immediately.
Team Claim Name
- The name of the claim that contains the value that should be used for team assignment will be specified in the SSO configuration and referred to as the Team Claim Name.
- Any user info claim can be specified as the Team Claim Name.
SAML 2.0
The following attribute-value structures are supported:
- Singular Value
- Single AttributeValue element that specifies a single value
- Multiple Nested Values
- Multiple AttributeValue child elements under the SAML attribute
- Singular Delimited Value
- Single AttributeValue element with multiple, delimiter-separated values. The following delimiters are supported: semi-colon [;], comma [,], and pipe character [|].
Singular Value
Single AttributeValue element that specifies a single value.
<saml:AttributeStatement> <saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Group1</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> |
Multiple Nested Values
Multiple AttributeValue child elements under the SAML attribute
<saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Group1</saml:AttributeValue> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Group2</saml:AttributeValue> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Group3</saml:AttributeValue> </saml:Attribute> |
Singular Delimited Value
Single AttributeValue element with multiple, delimiter-separated values. The following delimiters are supported: semi-colon [;], comma [,], and pipe character [|].
<saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Group1;Group2;Group3</saml:AttributeValue> </saml:Attribute> |
OAuth 2.0/OIDC
The following claim value structures are supported:
- String value
- Array value
String Value
{ <other claims> "groups": "Group1,Group2" } |
Array Value
{ <other claims> "groups": [ "Group1", "Group2" ] } |
Team Claim Value to Portal Team Mapping
A mapping of Team Claim values to Portal Teams can be specified in the SSO configuration.
User Flows
User Does Not Exist
- When a user signs in through SSO and does not exist in Mursion Portal, the user will be created and assigned the Learner role.
- The claim specified as the Team Claim Name will be retrieved from the user’s info.
- The Team Claim value and the Team Claim value to Team mappings are used to determine the Portal Team(s) that the learner should be added to.
- The learner is added to each Portal Team specified by the external group value(s).
User Exists
- When a learner signs in through SSO and the learner exists in Mursion Portal, the claim specified as the Team Claim Name will be retrieved from the user’s info.
- The Team Claim value and the Team Claim value to Team mappings are used to determine the Portal Team(s) that the learner should be added to.
- The learner will be added to the Teams that the learner is not a member of.
- Example 1: if the Team Claim value specifies the values Group1, Group2, and Group3, the learner will be added to Team B
- Example 2: If the Team Claim value specifies the value Group 1, the learner’s teams will remain unchanged since the learner is already a member of Team A.
- Example 3: If the Team Claim value specifies no values, the learner’s teams will remain unchanged.
- For example, given the Team Claim Value to Portal Team mappings below and a learner is already a member of Team A and Team C in Portal:
Portal Team |
Team Claim Value |
Team A |
Group1 |
Team B |
Group2 |
Team C |
Group3 |