...
| Note | ||
|---|---|---|
| ||
The map user groups functionality is configured through the SSO Portal, but it applies to Cloud Services Infoblox Portal users only. |
The Map Groups section allows you to automatically assign groups from your IdP (Identity Provider) to the Cloud Services Infoblox Portal groups. Based on your business requirements, you can choose a desired region, such as the US (United States) or EU (European Union) region. Depending on the selected region, you can add IdP user groups or Azure group IDs and map them to the respective BloxOne Infoblox Platform user groups. Group mapping also requires that a “groups” attribute to be sent to the SAML response from your IdP. Ensure that you populate the “groups” attribute with the IdP user groups or Azure group IDs that are assigned to your IdP users.
When users sign in and are in the target IdP user group or Azure group ID, they will automatically be assigned the Cloud Services the Infoblox Portal groups. If the user did not previously have a user account in the Cloud Services the Infoblox Portal, they will automatically be created and assigned groups in your company's Cloud Services s Infoblox Portal account.
To configure user mapping, complete the following:
- Log in to the Infoblox SSO Portal at https://sso.infoblox.com/.
- On the 3rd Party IDP page of the Infoblox SSO Portal, go to the Map Groups section.
From the Region drown-down menu, choose EU to map user groups in the EU region and choose US to do so in the US region. The SSO portal displays all regions by default.
- In the respective region, click Add, and then enter the IdP group name or the Azure group ID in the text box:
IDP USER GROUP: For OKTA federation.
- AZURE GROUP ID: For Azure AD federation
Note: Ensure that you enter the IdP group name or Azure group ID you have configured in your SAML application. You can find the IdP group name/ID at your IdP. Azure AD will only send the groups’ Azure Group ID in the SAML Assertion. Therefore, IDP group names are not used when federating with Azure AD.
The following restrictions apply to the IdP group names:
- The name cannot be empty.
- The length must be less than or equal to 253 characters.
- Valid characters include the following: a-z, A-Z, 0-9, -, .
- Must begin with an alphanumeric character.
- Must end with an alphanumeric character.
If your IdP group names do not meet the above restrictions, you will receive an error when you try to add the group mapping entries.
- From the BloxOne USER Infoblox USER GROUP drop-down list, choose the desired BLOXONE Infoblox User Group to map to the respective IdP user group or Azure group ID. You can also use the search option by entering the name of the BloxOne Infoblox user group to find a match. Repeat this process for each IdP group or Azure group ID as necessary to create multiple mappings. You can map multiple IdP groups to a single BloxOne Infoblox user group.
For example, if you map an IdP user group "idp-group" to a BloxOne Infoblox user group "ib-ddi-admin," any user who signs in to the Cloud Services the Infoblox Portal and belongs to the "idp-group" group will automatically be added to the "ib-ddi-admin" group. - Click Save to save the mappings.
- After you have configured the SAML application and mapped user groups, you can complete the following configuration:
You can also perform the following after you set up 3rd party IdP authentication: