About group membership mapping

When using SAML SSO with Google as your IdP, some service provider applications will need your user’s group membership information to be included in the SAML response.

You can add group membership information on the attribute mapping page, available when configuring either pre-integrated SAML apps or a custom SAML app.

Rules to be aware of

  • The number of group names that can be included in the SAML response is limited to 75.
  • If a group is renamed (in the Admin console or via the Admin console API), you'll need to re-enter the group in the Group membership field to ensure the new group name is sent in the SAML response.

Mapping examples

The group membership information that gets sent in the SAML response for a particular user will depend on that user’s group memberships, as well as the group structure in your domain—for example, how groups are nested. 

Assume that the group names Group-1 and Group-2 are entered in the Group membership field during configuration, as shown here:

 

When Group-1 and Group-2 are the configured groups, the following table shows how outcomes vary for different group membership scenarios:

If the user is part of: SAML response sends:
50 groups, including Group-1, but not Group-2 Group-1
Group-2, and Group-2 is part of Group-1 Group-1 and Group-2
Group-3, and Group-3 is part of Group-1 Group-1
Group 1 and Group 2, and Group-2 is a member of Group-1 Group-1 and Group-2

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
14556498198873502111
true
Search Help Center
true
true
true
true
true
73010
false
false