REST API Reference > Platform REST API version 3 resources > SAML group and role mapping
  

SAML group and role mapping

If your organization uses SAML single sign-on (SSO) for authentication and authorization, use the Orgs resource to map SAML roles and groups to IDMC roles. You can also use the Orgs resource to get details about SAML role and group mappings for an organization.
You can map up to 200 SAML groups or roles to an IDMC role. To find a list of IDMC roles, you can use the Roles resource.
Before you map SAML groups and roles, ensure that the Map SAML Groups and Roles option is enabled in Administrator.
After you map SAML groups and roles to IDMC roles, you cannot configure user roles or groups for SAML SSO users individually in Administrator or through the IDMC REST API.
For more information about using SAML SSO, see User Administration in the Administrator help.

Adding SAML group mappings

Add SAML group mappings that map SAML groups to IDMC roles.
Note: You cannot map a SAML group or role that contains one of the following characters in the name:

PUT request

To add a mapping between an IDMC role and SAML groups, use the following URI:
/public/core/v3/Orgs/<organization ID>/addSamlGroupMappings
If you map a SAML group that doesn't exist in IDMC, IDMC creates the group. If a group with the same name exists in IDMC, you can specify whether to reuse the group or create a new group. By default, IDMC creates a new group with _EXT appended to the name.
Include the following information:
Field
Type
Required
Description
groupMappings
Array
yes
Object that defines the IDMC role and SAML group mappings.
roleName
String
yes
Include in the groupMappings object.
Name of the IDMC role.
samlGroupNames
String
yes
Include in the groupMappings object
Names of the SAML groups to map to the IDMC role.
reuseGroup
Boolean
--
Whether to use the existing IDMC group if the group name is the same as the SAML group name.
If false, IDMC creates a new group.
Default is false.
Returns the 204 response code if successful. Returns an error object if errors occurs.

PUT examples

To map the IDMC Admin role to the Security and Dev-Managers SAML groups, and map the IDMC Designer role to the Developers SAML group, you might send a request similar to the following example:
PUT <baseApiUrl>/public/core/v3/Orgs/6MRgiMIfvdRfCCLITrLCcI/addSamlGroupMappings
Content-Type: application/json
Accept: application/json
INFA-SESSION-ID: 9KA11tLGqxVcGeul8SQBK3
{
"groupMappings": [
{
"roleName": "Admin",
"samlGroupNames": ["Security","Dev-Managers"]
},
{
"roleName": "Designer",
"samlGroupNames": "Developers"
}
],
"reuseGroup": "true"

}
To add another group mapping to map the IDMC Admin role to the Administrators SAML group, you might send a request similar to the following example:
PUT <baseApiUrl>/public/core/v3/Orgs/6MRgiMIfvdRfCCLITrLCcI/addSamlGroupMappings
Content-Type: application/json
Accept: application/json
INFA-SESSION-ID: 9KA11tLGqxVcGeul8SQBK3
{
"groupMappings": [
{
"roleName": "Admin",
"samlGroupNames": "Administrators"
}
],
"reuseGroup": "true"
}
Now the IDMC Admin role is mapped to the Security, Dev-Managers, and Administrators SAML groups.

Adding SAML role mappings

Add SAML role mappings that map SAML roles to IDMC roles.
Note: You cannot map a SAML group or role that contains one of the following characters in the name:

PUT request

To add a mapping between IDMC roles and SAML roles, use the following URI:
/public/core/v3/Orgs/<organization ID>/addSamlRoleMappings
Include the following information:
Field
Type
Required
Description
roleMappings
Array
yes
Object that defines the IDMC role and SAML role mappings.
roleName
String
yes
Include in the roleMappings object.
Name of the IDMC role.
samlRoleNames
List
yes
Include in the roleMappings object
Names of the SAML roles to map to the IDMC role.
Returns the 204 response code if successful. Returns an error object if errors occurs.

PUT example

To map the IDMC Developer role to the Data Designer and MS Deployer SAML roles, and map the IDMC Admin role to the Operator SAML role, you might send a request similar to the following example:
PUT <baseApiUrl>/public/core/v3/Orgs/6MRgiMIfvdRfCCLITrLCcI/addSamlRoleMappings
Content-Type: application/json
Accept: application/json
INFA-SESSION-ID: 9KA11tLGqxVcGeul8SQBK3
{
"roleMappings": [
{
"roleName": "Developer",
"samlRoleNames": ["Data Designer","MS Deployer"]
},
{
"roleName": "Admin",
"samlRoleNames": "Operator"
}
]
}

Removing SAML group mappings

Remove SAML group mappings that map SAML groups to IDMC roles.

PUT request

To remove a SAML group mapping, send a PUT request using the following URI:
/public/core/v3/Orgs/<organization ID>/removeGroupMappings
Include the following information:
Field
Type
Required
Description
groupMappings
Array
yes
Object that defines the IDMC role and SAML group mappings.
roleName
String
yes
Include in the groupMappings object.
Name of the IDMC role.
samlGroupNames
String
yes
Include in the groupMappings object.
Names of the SAML groups to remove.

PUT example

If you want to remove the mapping between the IDMC Admin role and the Administrators SAML group, you might send a request similar to the following example:
PUT <baseApiUrl>/public/core/v3/Orgs/6MRgiMIfvdRfCCLITrLCcI/removeSamlGroupMappings
Content-type: application/json
Accept: application/json
INFA-SESSION-ID: 9KA11tLGqxVcGeul8SQBK3
{
"groupMappings": [
{
"roleName": "Admin",
"samlGroupNames": "Administrators"
}
]
}

Removing SAML role mappings

Remove SAML role mappings that map SAML roles to IDMC roles.

PUT request

To remove a SAML role mapping, send a PUT request using the following URI:
/public/core/v3/Orgs/<organization ID>/removeSamlRoleMappings
Include the following information:
Field
Type
Required
Description
roleMappings
Array
yes
Object that defines the IDMC role and SAML role mapping.
roleName
String
yes
Include in the roleMappings object.
Name of the IDMC role.
samlRoleNames
String
yes
Include in the roleMappings object.
Names of the SAML roles to remove.

PUT example

If you want to remove the mapping between the IDMC Admin role and the Operator SAML role, you might send a request similar to the following example:
PUT <baseApiUrl>/public/core/v3/Orgs/6MRgiMIfvdRfCCLITrLCcI/removeSamlRoleMappings
Content-Type: application/json
Accept: application/json
INFA-SESSION-ID: 9KA11tLGqxVcGeul8SQBK3
{
"roleMappings": [
{
"roleName": "Admin",
"samlRoleNames": "Operator"
}
]
}

Getting SAML group mapping details

You can get the details for all the group mappings for an organization or use a filter to get group mapping details for a particular IDMC role or SAML group.

GET request

To get details for group mappings, use the following URI:
public/core/v3/Orgs/<organization ID>/SAMLConfig/groupMappings?<query parameters>
To get all the group mapping details for the organization, omit the query parameters.
To get details for a particular role or SAML group, you can include the following query parameters in the URI:
Parameter
Type
Description
q
String
Query filter string. You can filter using one of the following fields:
  • - roleId
  • - roleName
  • - samlGroupNames
limit
Int
Maximum number of mappings to return.
Default is 200.
skip
Int
Number of mappings to skip in the results.
For example, a value of 4 excludes the first four mappings.
Default is 0.
You can use the following fields to define the query filter:
Field
Type
Operators
Description
roleId
String
==
ID of the IDMC role.
roleName
String
==
Name of the IDMC role.
samlGroupNames
String
==
Name of the SAML group.

GET request example

To get the group mapping details for a particular IDMC role ID, you might use the following request:
GET <baseApiUrl>/public/core/v3/Orgs/<organization ID>/SAMLConfig/groupMappings?q=roleId=="94207429"
Content-Type: application/json
Accept: application/json
INFA-SESSION-ID: <SessionId>

GET response

Returns the group mapping details. Returns an error if errors occur.
If the Map SAML Groups and Roles option is enabled but no mappings exist, the response is empty.
If successful, returns a count of the available group mappings and the following information for each group mapping:
Field
Type
Description
count
String
Number of group mappings available.
groupMappings
-
Contains mapping information for each group mapping.
roleId
String
ID of the IDMC role.
roleName
String
Name of the IDMC role.
samlGroupNames
String
Names of the SAML groups.

GET response example

If successful, you might receive a response similar to the following example:
{
"count": 2,
"groupMappings": [
{
"roleId":"94207429",
"roleName:"Admin",
"samlGroupNames": [
"Security", "Dev-Managers"
]
},
{
"roleId":"149021",
"roleName:"Monitor",
"samlGroupNames": "Developers"
}
]
}

Getting SAML role mapping details

You can get the details for all the role mappings for an organization or use a filter to get role mapping details for a particular IDMC role or SAML role.

GET request

To get details for role mappings, use the following URI:
public/core/v3/Orgs/<organization ID>/SAMLConfig/roleMappings?<query parameters>
To get all the role mapping details for the organization, omit the query parameters.
To get details for a particular role or SAML role, you can include the following query parameters in the URI:
Parameter
Type
Description
q
String
Query filter string. You can filter using one of the following fields:
  • - roleId
  • - roleName
  • - samlRoleNames
limit
Int
Maximum number of mappings to return.
Default is 200.
skip
Int
Number of mappings to skip in the results.
For example, a value of 4 excludes the first four mappings.
Default is 0.
You can use the following fields to define the query filter:
Field
Type
Operators
Description
roleId
String
==
ID of the IDMC role.
roleName
String
==
Name of the IDMC role.
samlRoleNames
String
==
Name of the SAML role.

GET request example

To get the role mapping details for a particular IDMC role ID, you might use the following request:
GET <baseApiUrl>/public/core/v3/Orgs/03kEYNeduIJkVv0Qvq8NgY/SAMLConfig/roleMappings?q=roleId=="94247429"
Content-Type: application/json
Accept: application/json
INFA-SESSION-ID: <SessionId>

GET response

Returns the role mapping details. Returns an error if errors occur.
If the Map SAML Groups and Roles option is enabled but no mappings exist, the response is empty.
If successful, returns a count of the available role mappings and the following information for each role mapping:
Field
Type
Description
count
String
Number of role mappings available.
roleMappings
-
Contains mapping information for each role mapping.
roleId
String
ID of the IDMC role.
roleName
String
Name of the IDMC role.
samlRoleNames
String
Names of the SAML roles.

GET response example

If successful, you might receive a response similar to the following example:
{
"count": 2,
"roleMappings": [
{
"roleId":"94247429",
"roleName:"Developer",
"samlRoleNames": [
"Data Designer", "MS Deployer"
]
},
{
"roleId":"142321",
"roleName:"Admin",
"samlRoleNames": "Operator"
}
]
}