Today, Vantage announces the ability to automatically assign users to teams based on their SSO groups. This allows customers who have already set up groups in their SSO systems to have those groups mirrored as teams in Vantage, with no additional work. This feature can be used by Enterprise customers who have set up an SSO integration.
Before, account owners could set up teams in Vantage and assign users to those teams manually; however, it is common for customers to already have teams defined in existing identity providers (e.g., Okta, Azure AD). This resulted in account owners having to duplicate work to ensure their users in Vantage were assigned to the appropriate teams.
Now, customers have the ability to enable SSO team assignment, which automatically assigns users to teams that match the name of a corresponding SSO group, assuming those teams have already been created in Vantage. This feature ensures a seamless, automated team management process. Customers can now configure their teams’ access based on existing groups in their identity provider (IdP)—thus streamlining workflows and enhancing overall efficiency. Vantage will match on the case-sensitive name of the SSO group, using the groups field in the SSO payload. If a team name in Vantage matches that group name, the user will be placed into that team. If your team names in Vantage do not match your IdP, or you want multiple groups to be on the same team, you can create custom mappings.
The new SSO Team Assignment feature.
This feature is now available for all customers in the Enterprise tier. To get started, head over to the Authentication page, and enable the Team Assignment option. Users will be mapped into the appropriate teams during their next login. For more information on how to get started, see the SSO product documentation.
Frequently Asked Questions
1. What is being launched today?
Today, Vantage is launching SSO-Based Team Assignment—the ability to have users automatically placed into teams based on their IdP’s groups.
2. Who is the customer?
The customer is anyone in the Enterprise tier who is using teams and has an SSO connection.
3. How much does this cost?
There is no additional cost to using SSO, teams, or team assignment. It is available as part of your Enterprise subscription to Vantage.
4. I am not in the Enterprise tier—what is my experience?
Your experience will remain unchanged.
5. How do I enable this feature?
Visit the Authentication page, and enable SSO Team Assignment. You can also, optionally, add custom team name mappings.
6. How do I remap team names?
From the Authentication page, after team assignment is turned on, you can add as many team mappings as you want. The SSO Group Name should match the corresponding name in your IdP. Then, you can select the Vantage Team from the dropdown. The mapping is case-sensitive.
Custom team mappings within the Vantage console.
7. Does this remove a user from teams?
Yes, if enabled, this will remove users from teams that are no longer present in the SSO groups. If you need assistance with this transition, you can contact support@vantage.sh.
The Everyone team will remain untouched.
8. Which SSO connection types and providers are supported?
As long as your IdP can pass a groups attribute in the payload, it is supported. For some providers, like Okta, you need to enable group mapping in your Vantage application. If you need help with your specific IdP, you can contact support@vantage.sh.
An example from Okta:
Example of enabling the group attribute in Okta.
9. Does Vantage support SCIM?
At this time, Vantage does not support SCIM, and all updates are made when the user signs in to the platform.
10. What role does the user have on the Team when they are automatically assigned?
Users will be assigned the Default User Role, which is configured on the SSO connection.
11. Which role is required to modify custom mappings?
The Account Owner role is required to modify authentication settings.
12. How often are teams updated?
A user’s teams are updated on every login.
13. What happens if a user logs in with a group that doesn’t match any Vantage team? Will I get notified if I’m missing a team on the Vantage side?
No, missing teams will not be surfaced, as there can be several groups in your IdP that will not carry over to Vantage. If you need help debugging this, you can contact support@vantage.sh.
14. What is the best workflow for testing this functionality?
We recommend enabling the group mapping in your IdP first, and verifying in your IdP that the appropriate groups are being sent in the payload. Then, enable the functionality in Vantage.
