TIS Training API Documentation
  • Welcome!
  • Quick Start
  • Managing Users
  • Single Sign On (SSO)
    • General Options
    • Role and Group Mappings
    • Connection Types
      • Microsoft Entra ID (Formerly Azure AD)
      • Google Workspace
      • OpenID Connect (OIDC)
      • SAML (Security Assertion Markup Language)
  • SCORM Packages
  • Webhooks
  • API Reference
    • Users
      • 🔵GET users
      • 🔵GET users/seats
      • 🟢POST users
      • 🟠PUT users
      • 🟢POST users/password
      • 🟡PATCH users/enable
      • 🟡PATCH users/disable
      • 🔴DELETE users
    • Results
      • 🔵GET results
      • 🔵GET results/group
    • Groups
      • 🔵GET groups
      • 🟢POST groups/users
      • 🔴DELETE groups/users
    • 🔵GET courses
    • 🔵GET filters
    • 🟢POST login
    • â›”Standard Error Format
  • Webhook Reference
    • Standard Structure
    • Course Complete
    • Multi-Course Complete
  • OpenAPI Specification
Powered by GitBook
On this page
  • Role Mappings
  • Group Mappings
  1. Single Sign On (SSO)

Role and Group Mappings

PreviousGeneral OptionsNextConnection Types

Last updated 2 months ago

When adding or updating an SSO connection, you have the option to map the attributes and claims from your SSO provider to roles and groups on the TIS Platform. These can be updated at any time by editing the connection in the administration panel. Below is a description of how each type of mapping works. If you are looking for more information about the specific mapping values to use, please see the documentation page for your chosen connection type.

Role Mappings

Role mappings allow you to update your users roles in within the TIS Platform, granting or restricting access to reporting or the administration panel. These mappings are checked each time the user logs in via the SSO provider, and the role is saved to the user's profile. If there are no mappings that match the current login, the previously saved role will remain in effect.

Important Considerations

  • A user will always be granted the highest role from all matched mappings when logging in.

  • If the account is a the user will retain the last assigned role if they later login using their username and password.

  • A user who no longer matches a higher role mapping will not be removed from that role unless they match a mapping for a lower role. (For example, if a user is removed from an "Admin" mapping but they do not match a "Manager" or "User" mapping, they will retain the "Admin" role when logging in.)

  • You can update a user's role in the administration panel, however if they still match a role mapping when logging in, their role will be updated back to the mapped value.

Group Mappings

Group mappings allow users to be added to TIS Platform user groups that have been created in the administration panel. These mappings are checked each time the user logs in via the SSO provider. Any matched group mappings will be assigned to the user's account, and any existing groups that are no longer matched will be removed.

Important Considerations

  • For , when a group mapping is no longer matched, that group is not removed from the user's account. You will need to remove the group via the administration panel.

  • If you need to add multiple groups for the same mapped value, create a separate group mapping for each group.

Merged Account
Merged Accounts