We are testing out creating additional org roles and want the users to automatically get assigned when they SSO in. One user can have multiple org roles.
We saw there’s some SSO fields already mapped to Contact like branch -> Branch, displayname -> Name and that kind of thing, but I’m stuck on figuring out how they get assigned to org role.
I found VwSysRole that spells out all the different roles and SysUserInRole where they give individual role assignments for each user (multiple ok).
Just can’t find the gap - how they go from SSO JIT to assigned to an org role. Any chance you know?
In Creatio, organizational and functional roles are transmitted using the "role" attribute. This attribute is not listed in the JIT mapping but can be found in the SsoServiceProvider table under the SamlUserRole column.
To pass user roles to Creatio, simply create a claim named "role" on the Identity Provider side. For example, in Entra ID, this would be configured accordingly.
The claim should contain the attribute value where your roles are stored.
!Important: Role names must exactly match the role names in Creatio, including case sensitivity.
Regarding SSO technology and implementation, we can only assign existing roles to a user. Roles are not created automatically because:
1. A role must have predefined permissions or inherit from another role;
2. The SSO protocol does not allow retrieving a full list of roles from the Identity Provider—only data about the current user can be obtained. So we only get the name of the role of the logged-in user, not the entire organizational role hierarchy.
In Creatio, organizational and functional roles are transmitted using the "role" attribute. This attribute is not listed in the JIT mapping but can be found in the SsoServiceProvider table under the SamlUserRole column.
To pass user roles to Creatio, simply create a claim named "role" on the Identity Provider side. For example, in Entra ID, this would be configured accordingly.
The claim should contain the attribute value where your roles are stored.
!Important: Role names must exactly match the role names in Creatio, including case sensitivity.
Regarding SSO technology and implementation, we can only assign existing roles to a user. Roles are not created automatically because:
1. A role must have predefined permissions or inherit from another role;
2. The SSO protocol does not allow retrieving a full list of roles from the Identity Provider—only data about the current user can be obtained. So we only get the name of the role of the logged-in user, not the entire organizational role hierarchy.
You also need to create the corresponding attribute in the SsoServiceProvider table in the SamlUserRole column, following the instructions above, and then fill it in on your SSO provider side.
When a new user is provisioned through SSO, we want restrict the user creation or restrict the user from 1st time login, so that we can implement an addition approval layer.
