General OIDC Group Membership Mapping
Learn how to sync OIDC group members to matching groups in Hanzo KMS.
You can have Hanzo KMS automatically sync group
memberships between your OIDC provider and Hanzo KMS by configuring a groups claim on your provider tokens.
When a user logs in via OIDC, they will be added to Hanzo KMS groups that are present in their OIDC groups claim,
and removed from any Hanzo KMS groups not present in the claim.
When enabled, manual management of Hanzo KMS group memberships will be disabled.
Group membership changes in your OIDC provider only sync with Hanzo KMS when a user logs in via OIDC. For example, if you remove a user from a group in your OIDC provider, this change will not be reflected in Hanzo KMS until their next OIDC login. To ensure this behavior, Hanzo KMS recommends enabling Enforce OIDC SSO in the OIDC settings.
To enable OIDC Group Membership Mapping, you must configure a groups claim in your OIDC provider.
Add a groups property with a list of the user's OIDC group names to your token.
Example of expected token payload:
{
// "email": "john@provider.com",
// "given_name": "John",
// ...other claims
"groups": ["Billing Group", "Sales Group"]
}Setup varies between OIDC providers. Please refer to your OIDC provider's documentation for more information.
2.1. In Hanzo KMS, create any groups you would like to sync users to. Make sure the name of the Hanzo KMS group is an exact match of the OIDC group name.
2.2. Next, enable OIDC Group Membership Mapping on the Single Sign-On (SSO) page under the General tab.
2.3. The next time a user logs in they will be synced to their matching OIDC groups.
How is this guide?
Last updated on