1. Create desired groups in the IdP

2. Assign the desired users to groups

Assign the relevant users to groups reflecting their roles and permissions.

3. Configure the SAML SSO provider

Configure your SAML SSO provider to include a groups attribute. This attribute should list all the groups you want to sync. 
  <saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">datafold_admin</saml2:AttributeValue><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">datafold_read_write</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>

4. Map IdP groups to Datafold groups

The datafold_admin group, created in the IdP through step 1, will be automatically synced. Users in this IdP group will also be members of the corresponding group in Datafold. Note: Manual Datafold user group memberships will be overridden upon the user’s next login to Datafold. Therefore, group memberships should be managed exclusively within the IdP once the groups attribute is configured.

Example configuration

Here’s how you might configure three groups to map to the three default Datafold groups, admin, default and viewonly: