# SAML Group Mapping
# Preamble
The EE server supports the SAML protocol that allows you to configure an external SAML IDP for authentication. In addition the SAML server may provide groups. This guide here will explain how to map a SAML group to a Psono group. We assume that you already have configured SAML correctly with the necessary attribute configuration, so groups are transferred proper. If not please check out the appropriate configuration guide.
TIP
This feature is only available in the Enterprise Edition.
# Admin Webclient
Login to the Admin webclient
Create Managed Group
Go to
Groups
and click the+
button to create a managed groupEdit Managed Group
Go to
Groups
and click thepencil
button next to the created groupCreate Mapping
Search for the SAML group and click the checkmark symbol in the "Mapped" column.
TIP
SAML groups are created on the fly whenever a user logs in, all his groups are imported. If the group that you are searching for is not here, please tell a user with this group to login.
(optional) Grant Share Admin
If you want to allow users of this SAML group to add new shares to this group, you have to grant them Share Admin.
TIP
It is considered best practise to share only one folder per group and add new entries or subfoldes to that one shared folder. That way all shares are instant and noone has to accept new shared secrets.
Finished
Whenever a user logs in with SAML, the server will map Psono groups according to the user's SAML groups and grant the user the necessary permissions. If a user loses access to a group the server will remove the user from the Psono group upon next login.