help.sitevision.se always refers to the latest version of Sitevision

Create Virtual groups for SAML

SAML stands for Security Assertion Markup Language and is an XML-based open standard for exchanging authentications and permissions.

SAML is a federated login method that organises your own login against AD, without the need for direct contact with AD. If a visitor navigates to an address that requires login, they are sent on to the customer's IDP (located in the customer's own environment) where the visitor logs in. When the login is complete, a form with signed information is sent to SiteVision.

You can create virtual groups in a four different ways:

  • Everyone logged in via SAML
  • Groups
  • E-mail address (single user)
  • E-mail address (all)

Everyone logged in via SAML

As a first test when setting up SAML settings, it's a good idea to add all logged-in users via SAML and try logging in. Enter SAML in uppercase so the ID for the Virtual group consists of all people who log in Via SAML. 

Add group for SAML

Groups

Giving entire groups in the directory service access through Virtual groups is straightforward. This allows you to assign permissions to a page or structure to all users in the group.

Fill in the names of the attribute values for the attribute that you set as group attribute in the SAML2 login module. For example, if the group attribute name is groups, use what is under AttributeValue.

The example below shows a SAML-ticket with 2 group names; SVredaktorerEkonomi and SVadmin:

<saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  <saml:AttributeValue xsi:type="xs:string">SVeconomyEditors</saml:AttributeValue>
  <saml:AttributeValue xsi:type="xs:string">SVadmin</saml:AttributeValue>
</saml:Attribute>

Group name

It is important to specify the EXACT name of the group attribute value.

E-mail address (single user)

You can use an e-mail address to create a Virtual group for a single user.

Enter an e-mail address in the Id field.

Group for single emailadress

E-mail address (all)

You can use the domain in an e-mail address to create a virtual group based on all users with a specific e-mail address.

Type the address after @ (domain) as the Id so that all users with that address are associated with the Virtual group.

For anyone with the email address within a particular domain

The page published:

Did the information help you?