Configure External Groups
You must configure specific SAML attributes in your IdP to allow users to inherit roles from their assigned external groups. The Groups attribute is required for external group role inheritance to function correctly.
Required SAML Attributes
Attribute | Alternative Names | Format | Description |
|---|---|---|---|
User.MemberOf | groups, groupNames | This value is required. Without this value, users will not be mapped to a user role in Illumio Console. | |
User.FirstName | firstName | User's first name | |
User.LastName | lastName | User's last name | |
User.Email | User's email address | ||
SAML_SUBJECT | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress | SAML NameID. The value should be the user's email address. |
Important
Illumio Console requires the email submitted at login to match the email address that is returned in the SAML attributes. Ensure that the SAML_SUBJECT and User.Email values are configured to match the user's email address.
Note
The Groups attribute (User.MemberOf, groups, or groupNames) is required for external group functionality. If users do not have it, they will not inherit roles from their external group assignments.