Managing SSO group mappings


Only runZero administrators can automatically map users to user groups using SSO attributes and custom rules.

SSO group mapping allows you to map your SAML attributes to user groups in runZero. In runZero, user groups explicitly set the organizational role and determines the tasks users can perform within each organization. When you set up SSO group mappings, you explicitly define the SSO attribute and value you want to use for mapping. If there is a match, runZero will apply the group settings for the user. As a result, you can ensure that SSO users are mapped to their respective groups in runZero.

For example, your IT team may need to be part of a group with administrator privileges. In this case, you can create a user group with an administrator role and then create an SSO group mapping that maps the SAML attribute that identifies your IT team to the user group. When someone from your IT team logs in to runZero, they will automatically be added with the appropriate access and permissions, all without pre-provisioning their account. After evaluating all SSO group mapping rules, runZero grants the user the highest privilege assigned for each organization.

Creating SSO group mappings

Before you create your SSO group mapping, make sure that you have set up SSO for your organization and created user groups. Both must be set up in order to successfully create SSO group mappings.

Only runZero super users can create SSO group mappings.

  1. Go to Your team > SSO settings > Group mappings > Add group mapping.
  2. In the SSO attribute field, enter the attribute you want to check for matching values. These values are defined in your SSO configuration.
  3. In the SSO value field, provide a comma separated list of values that the attribute could match. When there is a match, runZero will apply the group permissions.
  4. Click the Group dropdown and choose the user group that will be assigned if there is a match. The dropdown will list all user groups that have been created.
  5. Save the SSO group mapping. These settings will apply the next time the user logs in to runZero.

Changes will not apply to users currently logged in. They will need to log out and log back in for the changes to take effect. You can force log out users to apply the SSO group mappings immediately.

Forcing a user to log out

Changes to user permissions will not apply until the user logs out and logs back in to runZero. If you need to apply permissions immediately after setting up the SSO group mappings, you can force log out users. This will log users out of their current session and require them to log back in again. After they log in, their updated permissions will be applied. Only super users and admins who have access to all organizations can force logouts.

To force log out users, go to the Teams page and select the users you want to log out. Click the sign-out button to log these users out.

Viewing SSO group mappings

To view all SSO group mappings that have been created, you can go to the Group mappings page. From this page, you can create, edit, or delete group mappings as needed.

Viewing SSO group mapping assignments

To see the SSO groups that a user has been assigned to, go to the Users page. From the Groups column, you can see the number of user groups and SSO groups the user is a part of. The number of SSO groups will be in parentheses.

Clicking the gear icon under actions will open the user settings for the user. The access summary tab will then display all of the organizations and roles they have assigned.

Deleting a group mapping

  1. Go to the Group mappings page.
  2. Select the group you want to delete and click the Delete button. All users provisioned through the group mapping will revert back to their account-level permissions.

Searching for SSO group mappings

When you are on the Group mappings page, you can use the following keywords to search in the table:

Keyword Description Example
id User’s ID. id:123456789
sso_attribute User’s SSO attribute. sso_attribute:department
sso_value User SSO attribute value. sso_value:securityteam
created_at Time or date user group was created. created_at:>2weeks
updated_at Time or date user group was last updated. updated_at:>1year
created_by_email Email of user who created the group.
group_id User group ID. group_id:123456789
group_name User group’s name. group_name:group1

Group IDs can be found in the URL for the group config page (

The group_id keyword is only available for the Users table; for the groups table, use id.

The group_name keyword is only available for the Users table.