This section describes how to manage users with SAML. For information about how to set up SAML, see the SSO Setup section of the Reference Manual. Once the identity provider and Orchestra has been configured to trust each other, follow these steps give access rights to users:
1. All identity providers have their own instructions on how to define roles. For Azure AD, you can find a guide on how to create roles here (step 1-7):
2. When you have managed to create roles, give a test user in the identity provider at least one role and one branch. This is done differently for all identity providers. In Azure AD, this is done in Enterprise Applications > <new application> >Users and groups >Add user.
3. In the User Management application, open the LDAP / SAML tab. To create a new mapping, click the Create New Mapping button.
Name – name of the role/group that should be mapped.
Type – type of mapping, role, branch or branch group. They must have a corresponding group in the identity provider.
Mapping – available roles, branches or branch groups
Create a mapping for a test user. When done, click the Save button.
4. Try to log in with the test user. You should automatically be logged in and have access to the role(s) that you configured.
5. The last step is to assign correct mapping to all users that should have access to Orchestra.
