Skip to main content

Holder group login

Introduction

In some organizations is necessary to assign roles that affect only a part of the structure, for instance, a department, a division or a country. A Holder Group can be defined as a collection of entities (referred to as "holders") that share similar characteristics, roles, permissions, or access requirements. The concept of a Holder Group simplifies the management of identities by enabling administrators to apply policies, assign roles, and manage permissions at the group level rather than individually.

The Soffid federation allows a new way to login, the Holder group login. This new way, allows the user to login to applications, Service Provider, indicating with which group the user wants to log in. Soffid will share with the application the roles and permissions according to the selected group.

If you want an application to allow Holder group login, the option Ask for group membership after authentication of the Service Provider must be activated (Yes option selected).

Once the user has logged in using the federation, Soffid will share with the Service Provider application the following information:

  • Holder group: Group selected by the user when logging in.
  • Roles list
    • Roles directly assigned to the user.
    • Roles assigned to the user in compliance with a Role Assignment Rule.
    • Roles assigned in the group selected by the user when logging in.

How Holder group login works?

1. The user type the user and password into the Identity Provider.

2. The Identity Provider validates the user credentials.

2.1. If the credentials are not correct, an error message is displayed.

Credentials error

image.png

2.2. If the credentials are correct, the Identity Provider get a list of all groups to which the user can log in. This list is obtained by selecting all groups, primary and/or secondary, that have as type one with Rol holder Yes. The groups are not repeated in this list.

2.2.1. If there is only one group with these characteristics, the Identity Provider automatically logs the user into this group and shares the data with the Service Provider.

2.2.2. If there is more than one group, the Identity Provider displays a list of the groups for the user to select which one to log in to. Here the user selects the group and logs in, then Identity Provider shares the data with the Service Provider.

Group

Service list

providers that allow Holder group login

image.pngThe following Service Providers allow you to configure the login with Holder group

  • SAML

  • SAML

    API

    client

  • OpenID-Connect

  • CAS client
Back to top