Skip to main content

For Admins: How to set up SAML attribute groups for automatic group assignment

Learn how to configure SAML attribute groups to automatically add users to elvex groups based on their identity provider attributes.

Updated over a week ago

Prerequisites

  • You must have an Admin or Owner role in elvex

  • Your company must have an active SAML/SSO connection configured

Step 0. Make sure your identity provider (IdP) has a groups attribute mapping

Your identity provider (Okta, Google, EntraID, etc) must be configured to send a "groups" attribute with relevant role data in order for an elvex group to be aligned with a preexisting department or employee role category in your IdP.

Eg. You want new brand marketing, growth marketing and international marketing employees to be added to the elvex Marketing group. Before you do anything in elvex, you will need your IdP administrator to create an attribute with key "groups" and list the team values that you are already tracking in your IdP.

Understanding the setup as an elvex admin

Before you begin, you'll need to know:

  1. What attribute values your IdP sends - Check with your IdP administrator to see what values are included in the "groups" attribute (e.g., "Engineering", "Marketing", "Sales")

  2. Which elvex groups you want to map to - You can map to previously created groups or as you build new ones

  3. What role users should automatically have in each group - Editor or Viewer

Creating a SAML attribute group from the Groups page

  1. Navigate to edit the group

  2. Select the Idp Configuration tab and click Manage Groups

  3. Click Create in the Manage SAML Attribute Groups modal

  4. Name your elvex mapping

  5. Enter the SAML attribute values from your IdP that should trigger this mapping

    • Add one or more values that match what your IdP sends (e.g., "Engineering", "AWS Users")

    • These values are case-sensitive and must match your IdP exactly

  6. Click Create

Associating a SAML attribute group with an elvex group

  1. Open the elvex group you want to associate with a SAML attribute group

  2. Select the IdP Configuration tab

  3. Select the SAML attribute group you created in the dropdown

  4. Choose the role users will receive in this group:

    • Editor: Can add and remove group members

    • Viewer: Can only view the group and its members

  5. Click Save

Creating a SAML attribute group from the SAML settings page

  1. Navigate to Settings > SAML

  2. Click Manage Groups in the just-in-time provisioning section

  3. Click Create in the Manage SAML Attribute Groups modal

  4. Enter the attribute values from your IdP that should trigger this mapping

  5. Click Create

Creating a role assignment by SAML attribute group

  1. Navigate to Settings > SAML

  2. In the just-in-time provisioning section, select the SAML attribute group you created in the dropdown

  3. Choose the company role users will receive when they are provisioned:

    • Member

    • Creator

    • Admin

  4. Click Activate/update SAML Connection

What's next?

Did this answer your question?