Skip to main content
Version: master

SSO Group Sync

Loft can be configured to allow for user authentication via Single-Sign-On (SSO). This feature allows for users who have a valid account on some other service (ex: GitHub), to authenticate and log into Loft via that service. This is a great way for administrators to not need to manage individual users, however administrators still need a mechanism in place to ensure that these users have appropriate permissions applied. That is where SSO groups come into play.

Most, if not all, SSO providers allow for administrators of that service to configure data that is shared with platforms authenticating against the provider. Perhaps most important of this shared data, is a list of groups of which the authenticating user is a part of. Upon authentication via SSO in Loft, this group data is inspected, the user is automatically joined to any Teams that include any of the provided group names in the SSO Groups as Members field. Any SSO group names that are not set in any Team's SSO Groups as Members field will be dynamically created as a new Team, with the group name automatically set in the SSO Groups as Members field.

This group behavior allows administrators to create Teams in Loft that correspond to teams (groups) in the SSO identity provider, set the appropriate policy for those Team(s) in Loft, and for users to be automatically assigned the appropriate team, and thus privileges, upon logging in via SSO.

Creating a Team With SSO Group Membership

  1. Select the Users field on the left menu bar.
  2. Click the Teams button on the User Management screen.
  3. Click the button.
  4. In the drawer that appears from the right, give your new team a name by replacing the 'my-team' placeholder name, or by updating the manifest YAML 'metadata.name' field.
  5. In the Team Members tab enter any desired groups into the SSO Groups as Members field. You can add as many groups as you would like here. These group names must exactly match the group name that the SSO provider shares with Loft during SSO authentication!
  6. Make any additional desired modifications to your new Team.
  7. Click on the button.