Map SAML attributes to roles

Map SAML attributes to Cloud Observability roles, centralizing user management in your identity provider (IdP).

Overview

With SAML group mapping, IdPs share SAML attributes with Cloud Observability. Cloud Observability then uses that information to automatically assign users to roles.

This guide uses Cloud Observability’s UI to set up SAML group mapping. You can also set it up with Cloud Observability’s Terraform provider.

Before you begin

The steps below assume you’ve set up SSO. They also assume you know the attributes your IdP sends in its SAML assertion. For example, Okta sends the attributes defined in group attribute statements.

You must be a Cloud Observability Organization Admin or Organization Billing Admin to complete this guide.

When you activate SAML group mapping, non-SSO users (users who log in with a username and password) keep their Cloud Observability role and access. To prevent unintended access and fully manage users in your IdP, complete step 3 on this page to convert non-SSO users to SSO users.

Step 1: Map SAML attributes to roles

Follow the steps below to assign Cloud Observability roles to specific attributes. Your changes won’t take effect until you activate SAML group mapping in step 2.

The steps show an example where Cloud Observability assigns the Organization Editor role to all users whose team attribute is product.

SAML mapping example

  1. In Cloud Observability, click Organization settings > User management > Additional settings.
  2. Click Start drafting your first mappings to open the Add SAML group mapping panel.
  3. Fill out the Define attribute inputs:

    1. Key - Enter one of the attributes your IdP sends to Cloud Observability, for example, team.
    2. Value - Enter the attribute value you want to assign Cloud Observability roles to, for example, product.
  4. Click Select an organization role to choose a Cloud Observability role for users with the key-value combination above. For example, Editor gives the Organization Editor role to users whose team attribute is product.
  5. Click Add mapping to save your configuration and return to the Settings tab.

    Cloud Observability displays <key> added to group mapping and shows the value and roles in the Mappings table.

  6. [Optional] Click Add mapping to create more mappings.

Step 2: Activate SAML group mapping

Activating SAML group mapping affects existing SSO users:

  • Organization Admins (OAs) - Users keep their current role.
  • Non-OAs matching mappings - Users get the mapped roles when they next log in with SSO.
  • Non-OAs not matching mappings - Users get the default role when they next log in with SSO.

Follow these steps to activate SAML group mapping in Cloud Observability:

  1. In Cloud Observability, click Organization settings > User management > Additional settings.
  2. Below SAML group mapping is OFF, click Turn on.
  3. In the Turn on SAML group mapping? dialog, enter CONFIRM and click Turn on.
  4. In the Log out all users? dialog, you have two options:

    1. To log out all existing non-OAs, enter CONFIRM and click Log out all users.
    2. To keep all existing non-OAs logged in, click Skip for now. Those users keep their existing roles until they next log in with SSO.

Once you’re done, Cloud Observability shows SAML group mapping is ON, and you can fully manage users in your IdP. To see a user’s group in Cloud Observability, click the Users tab and view the Group column.

[Optional] Step 3: Convert non-SSO users

When SAML group mapping is on, non-SSO users can still log into Cloud Observability with their usernames and passwords. Those users may have incorrect or outdated access because you manage them in Cloud Observability, not your IdP.

Follow the steps below to convert non-SSO users to SSO users. These steps are optional. You may want to keep some non-SSO users, for example, contractors.

  1. In Cloud Observability, click Organization settings > User management > Users.
  2. Next to a non-SSO user, click ⋮ > Convert to SSO user.

    (Non-SSO users have Password in the Login type column.)

  3. In the dialog, click Confirm to only let the user log in with SSO.

Cloud Observability displays <email> converted to SSO user and returns you to the Users tab. Repeat steps 1-3 for all relevant non-SSO users.

See also

User and role management

Roles and permissions

Set up SSO

Updated Jan 22, 2024