Map claims from an external IDP to roles in XProtect

On the external IDP site, the administrator must create claims consisting of a name and a value. Subsequently, the claim is mapped to a role in the VMS, and the user's privileges will be determined by the role.

Claims that you want to use on roles must be added to the IDP configuration before they can be selected in the roles. The claims can be added on the External IDP tab in the Options dialog box. External IDP tab (options). If a claim is not added to the IDP configuration, you will not be able select the claim in the roles.

When using claims to link external IDP users to VMS roles, the external IDP users are actually not added to the roles like regular basic or AD users. Instead they are linked dynamically with each new session based on their current claims.

1. From the Site Navigation pane in Management Client, expand the Security node and select Roles.

2. Select a role, select the External IDP tab, and select Add.

3. Select an external IDP and a claim name and enter a claim value.
   

   The claim name must be written exactly as the claim name coming from the external IDP.

4. Select OK.

If an external IDP is deleted, all users connected to the VMS via the external IDP are also deleted. All registered claims that are connected to the external IDP are removed and any mappings to roles are removed as well.

Under Effective Roles, you can get an overview of the dynamic role of external IDP users. That is the role membership which is based on the external IDP user's last login session. For more information, see View effective roles.