> ## Documentation Index
> Fetch the complete documentation index at: https://docs.datafold.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Automatically sync group membership with your SAML Identity Provider (IdP).

# Group provisioning

## 1. Create desired groups in the IdP

<Frame>
  <img src="https://mintcdn.com/datafold/BHI8Zy_v4DyXlmzL/images/okta_groups-61f1b6cf7b4075477ff1275ceeea6d09.png?fit=max&auto=format&n=BHI8Zy_v4DyXlmzL&q=85&s=7b1a4b911b31f70a7d7db3b95739586c" width="2206" height="1138" data-path="images/okta_groups-61f1b6cf7b4075477ff1275ceeea6d09.png" />
</Frame>

## 2. Assign the desired users to groups

Assign the relevant users to groups reflecting their roles and permissions.

## 3. Configure the SAML SSO provider

Configure your SAML SSO provider to include a `groups` attribute. This attribute should list all the groups you want to sync.

```Bash theme={null}
  <saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">datafold_admin</saml2:AttributeValue><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">datafold_read_write</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>
```

<Frame>
  <img src="https://mintcdn.com/datafold/9DgdnO4sVNte36u-/images/saml_groups_attribute-00b426150ceab3149d619b067aee26fc.png?fit=max&auto=format&n=9DgdnO4sVNte36u-&q=85&s=7754980607aca71912bd8372bd5500a4" width="1536" height="580" data-path="images/saml_groups_attribute-00b426150ceab3149d619b067aee26fc.png" />
</Frame>

## 4. Map IdP groups to Datafold groups

<Frame>
  <img src="https://mintcdn.com/datafold/Q7OqZ4fuuETHBSvX/images/datafold_group-f66ae2d5b9f378e444f70d1b5851dfaf.png?fit=max&auto=format&n=Q7OqZ4fuuETHBSvX&q=85&s=30af41ee0d9f1d6d35f0f5103e7df359" width="1534" height="828" data-path="images/datafold_group-f66ae2d5b9f378e444f70d1b5851dfaf.png" />
</Frame>

The `datafold_admin` group, created in the IdP through [step 1](#1-create-desired-groups-in-the-idp), will be automatically synced. Users in this IdP group will also be members of the corresponding group in Datafold.

**Note:** Manual Datafold user group memberships will be overridden upon the user's next login to Datafold. Therefore, group memberships should be managed exclusively within the IdP once the `groups` attribute is configured.

## Example configuration

Here's how you might configure three groups to map to the three default Datafold groups, `admin`, `default` and `viewonly`:

<Frame>
  <img src="https://mintcdn.com/datafold/Q7OqZ4fuuETHBSvX/images/datafold_groups-5e7f4e7afb9d99dee113a03b8599040a.png?fit=max&auto=format&n=Q7OqZ4fuuETHBSvX&q=85&s=c2f082b931c0619c6c740eb0269f2a48" width="1934" height="758" data-path="images/datafold_groups-5e7f4e7afb9d99dee113a03b8599040a.png" />
</Frame>