Map SAML attributes to Cloud Observability roles, centralizing user management in your identity provider (IdP).
With SAML group mapping, IdPs share SAML attributes with Cloud Observability. Cloud Observability then uses that information to automatically assign users to roles.
This guide uses Cloud Observability’s UI to set up SAML group mapping. You can also set it up with Cloud Observability’s Terraform provider.
When you activate SAML group mapping, non-SSO users (users who log in with a username and password) keep their Cloud Observability role and access. To prevent unintended access and fully manage users in your IdP, complete step 3 on this page to convert non-SSO users to SSO users.
Follow the steps below to assign Cloud Observability roles to specific attributes. Your changes won’t take effect until you activate SAML group mapping in step 2.
The steps show an example where Cloud Observability assigns the Organization Editor role to all users whose team attribute is product.
Fill out the Define attribute inputs:
team attribute is
Click Add mapping to save your configuration and return to the Settings tab.
Cloud Observability displays <key> added to group mapping and shows the value and roles in the Mappings table.
Activating SAML group mapping affects existing SSO users:
Follow these steps to activate SAML group mapping in Cloud Observability:
CONFIRM and click Turn on.
In the Log out all users? dialog, you have two options:
CONFIRM and click Log out all users.
Once you’re done, Cloud Observability shows SAML group mapping is ON, and you can fully manage users in your IdP. To see a user’s group in Cloud Observability, click the Users tab and view the Group column.
When SAML group mapping is on, non-SSO users can still log into Cloud Observability with their usernames and passwords. Those users may have incorrect or outdated access because you manage them in Cloud Observability, not your IdP.
Follow the steps below to convert non-SSO users to SSO users. These steps are optional. You may want to keep some non-SSO users, for example, contractors.
Next to a non-SSO user, click ⋮ > Convert to SSO user.
(Non-SSO users have Password in the Login type column.)
Cloud Observability displays <email> converted to SSO user and returns you to the Users tab. Repeat steps 1-3 for all relevant non-SSO users.
Updated Jan 22, 2024