fbpx

The Organization and Roll combination should be configured for each user, using the following IDP format:

<Attribute Name=”OrgAndRole” NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-format:basic>
<AttributeValue>SPOTINST-OrganizationID-ADMIN</AttributeValue>
<AttributeValue>SPOTINST-OrganizationID-VIEWER</AttributeValue>
<AttributeValue>SPOTINST-OrganizationID-VIEWER</AttributeValue>
</Attribute>

Advanced – Overriding Role and Organization attributes via SAML Attribute

Saml Response Called “OrgAndRole” (ignore case).The parameter allows setting the organization id dynamically on each request and not as a RelayState once. Parameter Value is in the Format: Spotinst-<orgid>-<role>.

This attribute will allow login into different organizations with the same user and the same IDP app, while setting the organization id dynamically.

Notes:
  • If OrgAndRole exists we override the RelayState and the Role (if Role provided as a different attribute).
  • OrgAndRole attribute and attribute value are case sensitive.
  • If a user logged in through SSO with a Role attribute, the role of that user will be set accordingly, which means that these settings will affect both existing users and new users. i.e – an xml attribute:

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" 
Name="Role">
  <saml:AttributeValue
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">ADMIN
  </saml:AttributeValue>
</saml:Attribute>

Supported Role attributes:

ADMIN – Equivalent to Account Editor

VIEWER – Account viewer

NO_ACCESS – No access to Spotinst console

Note: In this case, we’re providing an Account Admin role- meaning an account Editor, This is not an Organization Admin.