If you are using external authenticators you must convert user groups into SSO groups. Address Manager SSO groups assign authorization to users in the SSO integration. When creating an SSO group, you can assign default access (view, change, add, or full access) and administrator rights to the group.
- BlueCat recommends creating at least one local Administrator group that includes at least one local administrative user to serve as the SSO admin. This is a recommended best practice for SSO as the SSO admin can log in to Address Manager to deal with any connectivity issues with the IdP or critical issues with DDI operations.
- Before creating SSO groups in Address Manager, ensure the group membership claims exist in your IdP. This allows mapping of access rights to users who first log in to Address Manager with their SSO credentials. Contact your IdP for more information.
- You need at least one SSO group to enable SSO.
- An Address Manager user group that has been converted to an SSO Group cannot be reverted back to a BAM user group.
A new SSO group is matched with a group membership claim in the IdP that contains the access rights of users. Once a user logs in with SSO credentials, that user is automatically added to the SSO users list in the SSO group based on the group membership claim. You can convert the following user groups to SSO groups:
- Address Manager user groups
- LDAP user groups
- TACACS+ user groups
- In the Users and Groups page, select the Groups tab.
- In the Groups list, select the groups.
- Click .
- Click Yes.