Overview:
Currently, the SAML SSO connection to your platform provides “all or nothing” access for authenticated users. As any administrator here will know, we need to manually configure the granular roles and permissions within your platform for each new access request, which is time-consuming and introduces potential for error.
I am requesting the implementation of SAML Role Attribute Mapping to streamline this process. This enhancement would allow roles or permissions to be dynamically assigned based on attributes sent in the SAML assertion from the identity provider (IdP).
Proposed Functionality:
• Introduce the capability for the platform to recognize a specific SAML attribute (e.g., Role or Group).
• Map the values of the attribute to predefined roles or permission sets within the platform.
• Dynamically assign appropriate permissions based on the attribute value, eliminating the need for manual configuration.
Benefits:
1. Improved Efficiency: Reduces the administrative burden by automating the role assignment process.
2. Increased Security: Minimizes the risk of misconfigurations or incorrect permission assignments.
3. Scalability: Facilitates onboarding of users with diverse permissions, particularly in organizations with large or dynamic teams.
Example Workflow:
1. The IdP sends a SAML assertion with an attribute such as Role=ProgramManager.
2. The platform maps “ProgramManager” to a predefined role or permission set (e.g., access to Moveworks Setup User, Creator Studio Developer, Creator Studio Analytics Viewer, Creator Studio Logs Viewer, Bot Analytics Admin, Bot Analytics Viewer, Knowledge Studio Viewer, Employee Experience Insights (EXI) Viewer, and Employee Communications User).
3. The user gains the appropriate access level automatically upon login.
This feature would significantly enhance the usability and security of the SSO integration, aligning with industry best practices for SAML-based access control.