Configuring a Default SSO Group - Identity and Access Management Services - 4.0 - 4.0 - Other - external

Identity and Access Management Services

Identity and Access Management Services

Default SSO groups can be assigned for a configured third-party provider in the IdP. A default SSO group allows users to always be provisioned into a list of specified OnBase user groups when logging into a specified client application and being authenticated against the specified provider. Default SSO groups can only be configured for the following third-party providers:

  • SAML
  • CAS
  • WS-Federation (AD FS)
  • OIDC Exchange

To configure a default SSO group:

  1. Open the idpconfig.json file of the Hyland IdP server in a plain-text editor. In a default installation, this file is located at: C:\Program Files\Hyland\identityprovider
  2. In the Settings block of a configured third-party provider, add a comma at the end of the UserProvisioningUpdateEnabled setting line, immediately after true:
    "UserProvisioningUpdateEnabled": true,
  3. Add the DefaultSsoGroupMapping node immediately after the UserProvisioningUpdateEnabled setting:
    "DefaultSsoGroupMapping": [
        "ClientID": "",
        "Groups": []
    For example:
  4. Update the settings of the DefaultSsoGroupMapping block with the following values:
    Setting Description

    The unique ID of the client connection to use on the Hyland IdP server, entered in quotations. This value is case sensitive and must match exactly the value on the Hyland IdP server. For example:

    "ClientId": "02c62adb-e039-43f1-bfba-2c15ec750bf9",


    The list of OnBase user groups that the user logging in will be provisioned into, entered in quotations within brackets and separated by commas. For example:

    "Groups": [ "MANAGER", "PASSWORD CONFIG" ]
  5. Save and close the idpconfig.json file.
  6. Recycle the application pool of the Hyland IdP server in IIS for the changes to take effect.