SAML Groups Application Roles Mapping

SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) such as Okta, and a service provider (SP) such as Amorphic Data Platform In Amorphic Data Platform, Users/API calls get authenticated using Cognito. The authentication token recieved has the groups embedded in it. These groups will have role assigned to it Amorphic application. User will be granted access to the role based on the groups assigned to him in identity provider(IdP) such as Okta.

Amorphic provides SAML Groups with access to application resources through its roles. SAML Groups are the groups in an Idp which contains a list of users. To delegate the users in the group with certain set of permissions in the Amorphic application, map the group with the application role. To know more about the roles in Amorphic application roles click on the link Role Base Access Control - (RBAC)

What is a SAML Mapping?

A SAML mapping is a way of assigining a SAML Group with a role in Amorphic application. An administrator in the Amorphic application will have permissions to perform this operation.

SAML Mapping Metadata Information

Type Description
SamlGroupId SAML Group name which the administrator has to enter manually.
RoleId Id of the role which will be used by the users of the group. Administrator selects the name of the role from the drop down.
CreationTime Timestamp when the mapping was created.
CreatedBy Administrator who created the mapping.

SAML Mapping Operations

Administrator of the Amorphic Application can add a mapping, edit or delete an exisiting mapping.

Add New Mapping

You can add a new mapping in the Amorphic application by using the “Add New Mapping” functionality.

In order to add a new mapping, you need to be an administrator in the application. Below is the image that shows how to add a new mapping.

Create SAML Mapping

Edit Mapping

You can edit an existing mapping. You can change the role associated with the group but not the other way. To change the group name delete the existing mapping and add a new one.

Below is the image that will show how to edit a mapping.

Edit SAML Mapping

Delete Mapping

You can delete an existing mapping.

Below is the image that will show how to delete a mapping.

Delete SAML Mapping
Note: Below are some the important points that the Amorphic administrator needs to keep in mind when a mapping is added or deleted.
  • If a user is a part of a SAML group and there is a mapping of the SAML group to an application role which the user already has access to will loose the access to role when the mapping is deleted or when the user is removed from the SAML group.
  • This only doesn’t apply to default-role i.e., if there is a mapping between a SAML group and a default-role and when a user has been removed from the SAML group or the mapping in the Amorphic application is deleted. The user won’t loose access to the default role. Had it been some other role he would have lost access to it.