SAML Attributes
Map SAML assertion attributes to FOSSA organization roles and team membership with the role and teams claims.
Overview
When a user signs in through a SAML identity provider, FOSSA can read attributes from the SAML assertion to set the user's organization role and synchronize their team membership. You define these attributes in your identity provider's claim mapping, alongside the rest of its SAML configuration.
Note
These attributes apply to SAML single sign-on, which must be enabled for your organization; SSO is a premium feature. You set the attributes in your identity provider; see your provider's setup guide, such as Active Directory Federation Service or Auth0.
How attribute provisioning works
Each time a user signs in through SAML, FOSSA reads the attribute statement in the assertion and applies two optional attributes:
rolesets the user's organization role.teamssynchronizes the teams the user belongs to.
FOSSA takes the user's email from the SAML Name ID and builds their display name from the firstName and lastName claims, your provider's setup guide covers mapping those.
Supported attributes
| Attribute | Sets | Accepted values | Multiple values? | Case sensitivity |
|---|---|---|---|---|
role | The user's organization role | admin, editor, or viewer (the three built-in roles), or the name of a custom organization role | No | Not case-sensitive |
teams | The user's team membership, synchronized on every login | A team name, or Team Name::Role Name to also set the user's role on that team | Yes, repeat the attribute to add the user to multiple teams | Team names are case-sensitive; role names are not |
Setting the organization role
The role attribute maps to one of the three built-in organization roles (admin, editor, or viewer) or to any custom organization role, matched by name. The value is not case-sensitive, so Admin and admin are equivalent.
Warning
If the value doesn't match a built-in or custom organization role, FOSSA doesn't apply it. New users fall back to your organization's default role.
Synchronizing team membership
On each login, FOSSA synchronizes the user's team membership to match the teams attribute exactly:
- Adds the user to every team listed.
- Creates a listed team that doesn't exist, only if your organization allows SAML to create missing teams. Otherwise the user is added only to teams that already exist.
- Removes the user from any team they currently belong to that isn't listed.
Set the user's role on a team with the format Team Name::Role Name (for example, Platform::Team Admin). If the role name can't be matched, FOSSA assigns that team's default role. Repeat the teams attribute to add the user to multiple teams. Team names are case-sensitive; role names are not.
Warning
Because each login replaces the user's membership with exactly the teams in the assertion, the user is removed from any team that isn't listed. Include every team the user should remain in.
Example
Note
Your SAML provider can use conditional logic to give different access levels to different teams, using the format Team Name::Role Name.
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string"> Admin </saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="teams" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string"> Team A::Team Admin </saml:AttributeValue> <saml:AttributeValue xsi:type="xs:string"> Team B </saml:AttributeValue> </saml:Attribute></saml:AttributeStatement>This assertion gives the user the admin organization role, makes them a Team Admin on Team A, and adds them to Team B with its default role.