Administration Setup of Group Sync

Important:To set up group sync, you must have the Administrative privileges in your organization’s identity provider and one of the following Flexera One roles: Manage organization or Administer organization. For complete descriptions of each role available in Flexera One, see Flexera One Roles.

Administrators should follow these steps to set up group sync

1. Create groups in their IdP based on the desired permissions.
2. Configure the IdP to include the groups attribute statement in the SAML 2.0 assertion. For more information, see Passing Groups Memberships in the SAML 2.0 Assertion.
3. For each group in the IdP, create a group in Flexera One with the same name. For guidance on this step, see Creating and Managing User Groups.

Note:This step is necessary because Flexera One will not automatically create groups passed in a SAML 2.0 assertion.

4. Assign each Flexera One group the appropriate role(s). For complete descriptions of each role available in Flexera One, see Flexera One Roles.
5. Ensure JIT provisioning and group sync are enabled for the IdP in Flexera One. See the table below to understand the different group sync options:

Group Sync Setting

Behavior When a User Signs In With the IdP

None - Group Sync checkbox is not checked

User's group memberships will not be modified.

Add missing group memberships for user

User will be added to all groups provided in the SAML 2.0 assertion.

Note:Groups must already be configured in Flexera One.

User’s existing group memberships will not be modified; the user will not be removed from any groups.

Full sync of user's group memberships

User will be added to all groups provided in the SAML 2.0 assertion.

Note:Groups must already be configured in Flexera One.

User will be removed from any groups that are not passed in the SAML 2.0 assertion.

Testing and Troubleshooting

Important:If using an administrator user to test Group Sync, ensure the user has the administrator role granted directly, so they do not lose all access when removing themselves from all groups.

This section provides help with testing to see if the group sync is set up properly and provides help Troubleshooting Group Membership Sync Problems.

The following procedure may be useful to ensure group sync is set up properly:

1. Identify a user to use for testing.

Tip:An administrator setting up Group Sync can test with their own user.

2. In the IdP, add the user to every group that should be synchronized to Flexera One.
3. In Flexera One, remove the user from all groups.
4. Sign in to Flexera One through the IdP to trigger Flexera One’s Group Sync.
5. In Flexera One, go to the User Management page (Administration > User Management).
6. In Flexera One, confirm the user has been added to every group that was configured to sync from the IdP.

Troubleshooting Group Membership Sync Problems

This section provides troubleshooting steps if the group membership is not synchronized as expected.

If group membership is not synchronized as expected, use these steps to inspect the SAML 2 assertion and identify possible causes:

1. Sign in to the IdP.
2. Open the browser's Developer Tools, and go to the Network tab.
3. Sign in to Flexera One application through the IdP.
4. In the Developer Tools, identify the POST request:
For North American accounts—Identity the POST request to https://secure.flexera.com/sso/saml2/<Identifier> 
For EU accounts—Identity the POST request  https://secure.flexera.eu/sso/saml2/<Identifier> 
For APAC accounts—Identity the POST request  https://secure.flexera.au/sso/saml2/<Identifier> 
5. Open the request form data (body), which will include a SAMLResponse field.
6. Copy the string of characters in the SAMLResponse field.
7. Base 64 decode that string to see the plain text SAML2 assertion.
8. Locate the groups attribute statement in assertion:
If the groups attribute statement is missing, or the attribute statement name does not match, ensure the IdP is configured to send the groups attribute statement.
If the groups attribute is present, compare the group names in the assertion to the Flexera One group names.

If the problem cannot be identified, open a case with Flexera Support including any SAML assertion data that was gathered.