Documentation Center

Mapping a Content Manager user group to claims forwarded by Access Management

In Content Manager Explorer, map a user group to a specific claim type and value that the external identity provider (IdP) provides and Access Management forwards on to Content Manager.

Before you begin

The following are needed to complete this task:

  • You are a member of a group with the System Administrator Privilege.
  • The know the exact values of the claim type and claim value to be used in the group mapping.
  • The claim type is defined as a forwarded claim in the IdP's configuration (you can also do this after completing this task).

About this task

To automatically assign Content Manager users to user groups when they log in to the system, you can map the user groups to claims that are available from the external identity provider (IdP). The authenticated user will become a member of a group if they have the required claims.

Note that this task applies to general system users only, that is all users other than administrators. The System Administrator group is predefined with a mapping to the Administrator role in Access Management, so you do not need to do this mapping yourself.

Procedure

  1. Go to Administration > User Management > Groups and either create a new group or select an existing one for editing.
  2. Go to the Members tab for the group.
  3. At the bottom of the screen in the Group Mapping Configurations area, select Add.
  4. Do the following to define the forwarded claim that you are mapping to this group:
    Identity Provider
    Select Tridion.AccessManagement for any IdP that is configured through Access Management.
    Claim Type
    Enter the name of the claim as it is defined in the IdP (and also as defined in Access Management as a forwarded claim).
    Claim Value
    Enter the exact value that the claim will need to have in order for Content Manager to give the user this group assignment.
    Description
    Optionally, add text to describe the purpose of the mapping.

    The following example illustrates the mapping of 1) a user group called "Chief Editor" to any user where the 2) Claim Type is "given_name" and the 3) Claim Value is the specified name.

    In this example, the group mapping requires that the IdP's configuration includes a forwarded claim for given_name. When Access Management redirects the user to Content Manager, it will include this claim in the access token, and Content Manager will have what is needed to grant the user the group-level permissions for a Chief Editor.

  5. Select Add to add the mapping.