Add custom attributes to a user group with Group Inherited User Attributes. When you add users to that user group, they inherit the custom attribute. Group Inherited User Attributes can be added on SAML SSO connectors to customize roles and permissions across your user groups.
Considerations
- String, Number, Boolean and JSON attribute types are supported
- Group inherited custom attributes are not supported for dynamic user groups (they are set at the user level)
- Attributes names need to be unique
- Number attributes can’t be more than nine digits. If you need to enter a number that’s longer than nine digits, use a string attribute instead
- String attributes support numbers, characters, and symbols
- If there are custom attributes set on two or more groups that connect a user to an app, the most recently added group attribute will be applied. For example:
User A is associated with JumpCloud User Groups Team-A and Team-B
Team-A custom attribute: TeamName=team-a
Team-B custom attribute: TeamName=team-b
When the user initiates a session on AWS where the group attribute is inherited, it inherits Team-B custom attribute: TeamName=team-b
Configuring Group Inherited User Attributes on a User Group
Considerations
- You can use the JSON Editor to create objects. Objects support nested objects, lists, as well as boolean, number, and string values
- Multiple nested objects and JSON fields are supported. Use a comma to separate them
- JSON fields need to be unique. If you have two JSON fields with the same name, the most recently created JSON field is saved and the older one is deleted when you save the attribute
To add group inherited user attributes
- Log in to the JumpCloud Admin Portal.
- Go to USER MANAGEMENT > User Groups.
- Select an existing User Group or create a new user group.
- Click add new custom attribute from the Details tab.
- For type, choose String, Number, Boolean, or JSON Editor.
- Enter an Attribute Name and Attribute Value.
- Click save.
Mapping Group Inherited User Attributes on a SAML Connector
Considerations
- Conflicting attributes set at the user level override attributes set at the group level.
- When you create a Group Inherited User Attribute that uses a JSON Editor Attribute value, you can map the Group Attribute Name on a SAML connector to any of the JSON fields contained in the JSON object. If the mapping is correct, then we extract the value from the fields. Things to know about this functionality:
- From User Attributes on a SAML Connector, you can map the Group Attribute Name to a string, number, or boolean JSON field that you included in the JSON editor.
- On the SAML connector, you can map the Group Attribute Name to a JSON field that includes a list value, but we only add the elements of the list that aren’t JSON objects.
- You can’t map a Group Attribute Name to JSON fields that contain JSON or complex objects as their values. For example, let’s say the JSON Editor Attribute name is “otherInfo” and the JSON Editor Attribute Value is the following:
{
"userSettings" : {
"role" : "admin",
"permissions" : "rw",
"description" : "Very
clever"
}
}
A mapping to otherInfo.userSettings isn’t supported because the value contains an object. Instead, you could map to a field in that value object like this: otherInfo.userSettings.role. If you map to a field that has JSON or complex objects as their value, the attribute is ignored in a SAML assertion.
To include group inherited user attributes with a SAML SSO connector
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO.
- Select an existing application or create a new connector.
- Click the SSO tab.
- Scroll down to the Attributes section and click add attribute.
- Service Provider Attribute Name - enter the service provider’s name for an attribute
- JumpCloud Attribute Name - click the down arrow and choose Custom User or Group Attribute
- Group Attribute Name field, enter the attribute name you provided in step 6 of the Configuring Group Inherited User Attributes on a User Group Section in this article.
If you want to map to a JSON field that’s included in a JSON Editor Attribute Value, enter the attribute name and the JSON field with dot (.) notation. For example, if you wanted to map to a JSON field from the following screenshot, you would enter: otherInfo.Location.
- Click save.