Generic IdP SAML Attribute

You will also need to configure your IdP to send an additional attribute LH_Groups as part of the SAML response.

In most IdPs this is done by adding an Attribute Statement or Parameter configuration in your application integration. This parameter should be set as a multi-value parameter, that is, multiple values should be provided by multiple duplicative either Attribute Value tags or Attribute tags in the SAML assertion.

We recommend setting the value of this attribute to be populated with the names of the user's Roles (or Groups) in your IdP. This method allows you to create roles in your IdP with the same names as the user groups on your lighthouse that can be assigned in your IdP to grant users that level of access to lighthouse.

Alternatively, you can populate the LH Groups attribute with the names of the lighthouse user groups the user should be granted by any other mechanism that your IdP provides, that is, custom user properties

Note:Your IdP can populate the LH_Groups attribute to place users in any Lighthouse user group except Lighthouse’s default admin group. You can allow users to login with admin privileges by simply creating another user group in lighthouse with the admin role and assigning the matching role/group in your IdP to the user (that is, populate LH_Groups to include its value).