Can users be added to Asset Bank groups based on the remote groups they are in?

If your Asset Bank is configured to integrate with SAML SSO or an LDAP server you will be able to map user groups to your internal (i.e. "remote") groups so that your users will be automatically assigned to the relevant Asset Bank groups when logging in.

How it works

When users are retrieved from the LDAP server Asset Bank will look at the 'memberOf' field of the user. This means that the group mapping feature only works with LDAP servers that support 'memberOf', for example Microsoft Active Directory. The memberOf field should contain the DNs of any groups that the user is a member of. Asset Bank then compares these with the DN information entered for any of its own groups. The user is automatically added to any groups that match.

Note that at the moment only groups explicitly listed in the 'memberOf' attribute are taken into account - Asset Bank does not traverse nested groups. So users will only be added to Asset Bank groups corresponding to LDAP groups that they are directly a member of, they won't be added to Asset Bank groups corresponding to LDAP groups that they are indirectly a member of via nested groups.

When a user is authenticated via SAML SSO Asset Bank will retrieve the group parameter which has been mapped in the Identity Provider (please refer to the SAML options in the SSO knowledge base article) and automatically assign the user groups matching the 'Remote Group(s)' mapping.

Note that in both authentication methods abovementioned the users will be added to any matching remote groups and removed from any 'mapped' group which is no longer present in the users authentication data. However, all groups that are not mapped (i.e. do not contain 'Remote Group(s)' mapping information) will never be affected by this functionality.

Configuring group mappings

When adding or editing an Asset Bank group (Admin > Groups > "Group In Question" > [edit]) you can specify the groups name or "DNs" of one or more remote groups in the 'Remote Group(s)' box.

To use multiple DNs in the 'Remote Group(s)' box, set the remote-group-mapping-delimiter setting in the ApplicationSettings.properties file (the default value is %%)
You can then use this character or string to delimit multiple groups name or DNs within a single 'Remote Group(s)' box.

remote-group-mapping-delimiter=%%

To use wildcard matching set the remote-group-mapping-wildcard setting in the ApplicationSettings.properties file (the default value is *).
You can then use this character or string to act as a wildcard in the 'Remote Group(s)' box.

remote-group-mapping-wildcard=*


When using SAML SSO you would also need to enable the following setting in order to update the group assignment every time a user logs in via SSO:

update-remote-users-groups-on-sso-login=true

Troubleshooting

If this process is not working as expected then try the following:

  • Check that you have entered the full group name or DN (Distinguished Name) of the LDAP group when editing the Asset Bank group.
  • Check that the group field (e.g. ‘memberOf‘) for a sample user does indeed contain the groups you expect.

It is useful to check the above values using a Java LDAP browser (such as JXplorer) or the SAML authentication response on the Asset Bank server.


Was this article helpful?

Yes No

Thanks for your feedback!