Team Assignment via SSO

How to assign learners to teams via the SSO feature

SSO 

Team assignment via SSO enhances Just-In-Time provisioning to allow a user’s info claim to be used to specify the Portal team(s) that the user will be assigned to. 

This option will require minimal effort to configure/implement and does not require new users to be provisioned before they sign in - they will be provisioned the first time they sign in and assigned to appropriate Portal teams(s) based on a claim in their user info that is returned through SSO.

Team Claim Name

  • The name of the claim that contains the value that should be used for team assignment will be specified in the SSO configuration and referred to as the Team Claim Name.
  • Any user info claim can be specified as the Team Claim Name. 

SAML 2.0

The following attribute-value structures must be supported: 

  • Singular Value
    • Single AttributeValue element that specifies a single value
  • Multiple Nested Values
    • Multiple AttributeValue child elements under the SAML attribute
  • Singular Delimited Value
    • Single AttributeValue element with multiple, delimiter separated values. The following delimiters will be supported: semi-colon [;], comma [,], and pipe character [|]. 

Singular Value 

Single AttributeValue element that specifies a single value.

<saml:AttributeStatement>

   <saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Group1</saml:AttributeValue>

   </saml:Attribute>

</saml:AttributeStatement>

Multiple Nested Values

Multiple AttributeValue child elements under the SAML attribute

<saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

   <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Group1</saml:AttributeValue>

   <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Group2</saml:AttributeValue>

   <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Group3</saml:AttributeValue>

</saml:Attribute>

Singular Delimited Value

Single AttributeValue element with multiple, delimiter separated values. The following delimiters will be supported: semi-colon [;], comma [,], and pipe character [|]. 

<saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

   <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Group1;Group2;Group3</saml:AttributeValue>

</saml:Attribute>

OAuth 2.0/OIDC

The following claim value structures will be supported:
  • String value
  • Array value

String Value

{

  <other claims>

  "groups": "Group1,Group2"

}

Array Value

{

  <other claims>

  "groups": [

    "Group1",

    "Group2"

  ]

}

Team Claim Value to Portal Team Mapping

A mapping of Team Claim values to Portal Teams will be specified in the SSO configuration.

Externally Managed Team Assignment

When the Team Claim name is specified in an SSO configuration, the team assignment of the client’s SSO users will be considered externally managed. The following functionality/features will not be available when team assignment is externally managed: 

  • Team assignment functionality of the client’s SSO users in the Portal will be disabled. The users that are on a team will be able to be viewed in the Portal; however, SSO users will not be able to be assigned to or removed from teams in the Portal. 
  • Import External  Users will not be available

User Flows

User Does Not Exist

  • When a user signs in through SSO and the user does not exist in Mursion Portal, the user will be created and assigned the Learner role. 
  • The claim specified as the Team Claim Name will be retrieved from the user’s info. 
  • The Team Claim value and the Team Claim  value to Team mappings are used to determine the Portal Team(s) that the learner should be added to. 
  • The learner is added to each Portal Team that is specified by the external group value(s).

User Exists

  • When a learner signs in through SSO and the learner exists in Mursion Portal, the claim specified as the Team Claim Name will be retrieved from the user’s info. 
  • The Team Claim value and the Team Claim  value to Team mappings are used to determine the Portal Team(s) that the learner should be added to or removed from.
  • The learner will be added to the Teams that the learner is not a member of and removed from any Teams that are not specified in the Team Claim  value.
    • For example, given the Team Claim Value to Portal Team mappings below and a learner is already a member of Team A and Team C in Portal: 
      • Example 1: if the Team Claim value specifies the values Group1, Group2, and Group3, the learner will be added to Team B
      • Example 2: If the Team Claim value specifies the value Group1, the learner will be removed from Team C
      • Example 3: If the Team Claim value specifies no values, the learner will be removed from Team A and Team C

Portal Team

Team Claim Value

Team A

Group1

Team B

Group2

Team C

Group3