--- title: "Managing SSO group mappings" date: 2022-03-08 ---
Only runZero administrators can automatically map users to user groups using SSO attributes and custom rules.
((SSO group mapping)) allows you to map your ((SAML)) attributes to user groups in runZero. In runZero, user groups explicitly set the organizational [role](managing-your-team.md) and determines the tasks users can perform within each organization. When you set up SSO group mappings, you explicitly define the SSO attribute and value you want to use for mapping. If there is a match, runZero will apply the group settings for the user. As a result, you can ensure that SSO users are mapped to their respective groups in runZero. For example, your IT team may need to be part of a group with administrator privileges. In this case, you can create a user group with an administrator role and then create an SSO group mapping that maps the SAML attribute that identifies your IT team to the user group. When someone from your IT team logs in to runZero, they will automatically be added with the appropriate access and permissions, all without pre-provisioning their account. After evaluating all SSO group mapping rules, runZero grants the user the highest privilege assigned for each organization. ## Creating SSO group mappings Before you create your SSO group mapping, make sure that you have [set up SSO](set-up-okta-saml-sso.md) for your organization and [created user groups](managing-user-groups.md). Both must be set up in order to successfully create SSO group mappings. Only runZero super users can create SSO group mappings. 1. Go to [Your team > SSO settings > Group mappings > Add group mapping](https://console.runzero.com/team/sso/groups/new). 2. In the **SSO attribute** field, enter the attribute you want to check for matching values. These values are defined in your SSO configuration. - For Azure AD SSO, note that the **SSO attribute** field must match the claim name from Azure AD. 3. In the **SSO value** field, provide a comma separated list of values that the attribute could match. When there is a match, runZero will apply the group permissions. 4. Click the **Group** dropdown and choose the user group that will be assigned if there is a match. The dropdown will list all user groups that have been created. 5. Save the SSO group mapping. These settings will apply the next time the user logs in to runZero. Changes will not apply to users currently signed in. They will need to sign out and sign back in for the changes to take effect. You can forcibly sign out users to apply the SSO group mappings immediately. ## Forcing a user to sign out Changes to user permissions will not apply until the user signs out and logs back in to runZero. If you need to apply permissions immediately after setting up the SSO group mappings, you can forcibly sign out users. This will sign users out of their current session and require them to sign back in again. After they sign in, their updated permissions will be applied. Only superusers and admins who have access to all organizations can force sign-outs. To forcibly sign out users, go to the [Teams page](https://console.runzero.com/team) and select the users you want to sign out. Click the sign-out button to log these users out. ## Viewing SSO group mappings To view all SSO group mappings that have been created, you can go to the [Group mappings page](https://console.runzero.com/team/sso/groups). From this page, you can create, edit, or delete group mappings as needed. ## Viewing SSO group mapping assignments To see the SSO groups that a user has been assigned to, go to the [Users page](https://console.runzero.com/team). From the _Groups_ column, you can see the number of user groups and SSO groups the user is a part of. The number of SSO groups will be in parentheses. Clicking the gear icon under actions will open the user settings for the user. The access summary tab will then display all of the organizations and roles they have assigned. ## Deleting a group mapping 1. Go to the [Group mappings page](https://console.runzero.com/team/sso/groups). 2. Select the group you want to delete and click the **Delete** button. All users provisioned through the group mapping will revert back to their account-level permissions. ## Searching for SSO group mappings When you are on the [Group mappings page](https://console.runzero.com/team/sso/groups), you can use the following keywords to search in the table: | Keyword | Description | Example | |--------------|------------------------------------------------------------------------------------------|--------------------| | `id` | User's ID. | `id:123456789` | | `sso_attribute` | User's SSO attribute. | `sso_attribute:department` | | `sso_value` | User SSO attribute value. | `sso_value:securityteam` | | `created_at` | [Time or date](search-query-syntax.md#time-and-date-values) user group was created. | `created_at:>2weeks` | | `updated_at` | [Time or date](search-query-syntax.md#time-and-date-values) user group was last updated. | `updated_at:>1year` | | `created_by_email` | Email of user who created the group. | `created_by_email:user@example.com` | | `group_id` | User group ID. | `group_id:123456789` | | `group_name` | User group's name. | `group_name:group1` | Group IDs can be found by going to [the group config page](https://console.runzero.com/groups/) and enabling the ID column from the Columns menu above the data grid. The `group_id` keyword is only available for the Users table; for the groups table, use `id`. The `group_name` keyword is only available for the Users table.