DocumentationAPI ReferenceTerraform ProviderStatus PageSchedule a DemoFree Trial
Documentation

Importing Roles or Groups from your Identity Provider

Suggest Edits

env0 Teams can be synced with your Identity Provider's (IdP) roles or groups.

For example, in Okta , when configuring the "Group Attribute Statements", this setting will determine which groups will get synced into env0 and mapped to env0 Teams.

Teams Sync

Whenever a user logs in, env0 will sync the env0 Team based on the user's group membership. Internally, we will search one of the following fields based on the SAML response:

  1. teams
  2. groups

Those fields can be either an array of strings or a comma-separated string, for example:

  1. ["groupA", "groupB", "groupbC"]
  2. "groupA,groupB,groupbC"

Whenever a user logs in, if the env0 Team already exists (we check if a team with the same name already exists), the user will be added as a member to the Team, and thus have the same Project Roles based on previous assignments.
Whenever a user is removed from a group, their team membership is also updated to help reflect their membership status.

The env0 Team can then be assigned a env0 Project Role in the Project Settings.

📘

Teams Syncing

Teams will be synced each time a user logins with the following logic:

  1. env0 will create a new team if one doesn't exists based on the group name we received from the SAML provider.
  2. If the team exists in env0 we will not create a new team.
  3. We will assign the user to all the teams in env0 based on the group names he/she is part of in the SAML provider..
  4. If the user was removed from a group in the SAML provider we will remove him/her from the team in env0.

Teams Filtering

If you have a lot of groups in your identity provider, and only few of them are relevant for env0 you can control which group will be synced to env0 and which is not. Please contact us to configure this feature.

Admin Roles

In addition, env0 can also assign specific teams as Organization Admins automatically from your SAML provider. This advanced new feature can come in handy if you have (or planning to have) such groups which contain all users that should be Organization Admins on env0.
You can read more about user roles in env0 here.

Whenever the user logs in to env0, we will search for the pre-configured group name of your choice, and if the user is part of that group, we will promote him to an Organization Admin.
Whenever a user is removed from that specific group, he will be demoted to a regular user role in your organization.

In order to configure this feature please contact us.

🚧

Admin Roles

If you enabled this feature, any manual role changes you made to a user might be overridden automatically by this process.
The user role is only updated upon logging into env0.

Updated about 1 year ago