The Account and Roll combination should be configured for each user, using the following IDP format:

<Attribute Name=”AccAndRole” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:basic>

Advanced – Overriding Role and Organization attributes via SAML Attribute

Saml Response Called “OrgAndRole” (ignore case).The parameter allows setting the organization id dynamically on each request and not as a RelayState once. Parameter Value is in the Format: Spotinst-<orgid>-<role>.

This attribute will allow login into different organizations with the same user and the same IDP app, while setting the organization id dynamically.

  • If AccAndRole exists we override the RelayState and the Role (if Role provided as a different attribute).
  • AccAndRole attribute and attribute value are case sensitive.
  • If a user logged in through SSO with a Role attribute, the role of that user will be set accordingly, which means that these settings will affect both existing users and new users. i.e – an xml attribute:

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ADMIN

Supported Role attributes:

ADMIN – Equivalent to Account Editor

VIEWER – Account viewer

NO_ACCESS – No access to Spotinst console