User Group Mapping

Last update: May 30 2026

If you use federations and have user groups on the identity provider side, you can configure group mapping to integrate them into Selectel user groups.

How it works

Users from a mapped identity provider group will be added to the Selectel group automatically upon first authentication. Users will be assigned the permissions that you specify for the Selectel user group when configuring group mapping.

If permissions or user data change on the identity provider side, the changes will be applied in Selectel upon re-authentication.

You can map one identity provider group to one Selectel user group. You cannot map a Selectel group to multiple identity providers, or vice versa.

Configure group mapping

1. Create user groups.
2. Add group mapping.
3. Configure mappings on the identity provider side.
4. Add users to a group on the identity provider side.

1. Create user groups

1. Make sure you have a user group on the identity provider side.

2. If you already have a user group on the Selectel side and you want to use it for mapping, you do not need to create a new group. If you do not have a group or would like to use a new one:

   2.1. Add a user group.

   2.2. Assign permissions to the user group.

2. Add group mapping

1. In the control panel, on the top menu, click IAM.

2. Go to the Federations section.

3. Open the federation page → Group Mapping tab.

4. Click Map groups.

5. In the Mapped groups block:

   5.1. Select the Selectel group you created in step 1 or earlier.

   5.2. Enter the name of the identity provider group.

6. Optional: to add another group mapping, click Add mapping and repeat step 5.

7. Click Save settings.

3. Configure mappings on the identity provider side

Keycloak

SAML

1. In the Keycloak control panel, log in to the administrator account (Administration Console).

2. Go to the Client scopes section → Setup tab.

3. Select the client scope specified in the <client_id>-dedicated format. Here, <client_id> is the URL you entered when configuring the SAML application in the Client ID field.

4. Configure user group mapping:

   4.1. On the Mappers tab, click Add mapper → By configuration → Group list.

   4.2. In the Name field, enter a name for the mapping.

   4.3. In the Group attribute names field, enter groups.

   4.4. Turn on the Single Group Attribute toggle.

   4.5. Turn off the Full group path toggle.

   4.6. Click Save.

5. Configure user email mapping:

   5.1. On the Mappers tab, click Add mapper → From predefined mappers → x500 email.

   5.2. Open the x500 email mapping.

   5.3. In the SAML Attribute Name field, enter email.

   5.4. Click Save.

6. Configure user name mapping:

   6.1. On the Mappers tab, click Add mapper → From predefined mappers → x500 givenName.

   6.2. Open the x500 givenName mapping.

   6.3. In the SAML Attribute Name field, enter firstName.

   6.4. Click Save.

7. Configure user surname mapping:

   7.1. On the Mappers tab, click Add mapper → From predefined mappers → x500 lastName.

   7.2. Open the x500 lastName mapping.

   7.3. In the SAML Attribute Name field, enter lastName.

   7.4. Click Save.

OIDC

1. In the Keycloak control panel, log in to the administrator account (Administration Console).

2. Go to the Clients section.

3. Open the client page → the Client scopes tab.

4. Select the client scope specified in the <client_id>/dedicated format. Here, <client_id> is the identifier you entered when configuring the federation on the Keycloak side in the Client ID field.

5. Click Configure a new mapper → Group Membership.

6. In the Name field, enter a name for the mapping.

7. In the Token Claim Name field, enter groups.

8. Clear the Full group path checkbox.

9. Select the Add to ID Token checkbox.

10. Click Save.

AD FS

SAML

1. On the AD FS server, open Server Manager.

2. In the Tools menu, select AD FS Management.

3. In the Actions block, select Relying Party Trust.

4. Right-click the Relying Party Trust you added when configuring trust relationships during federation creation, and select Edit Claim Issuance Policy.

5. Click Add Rule.

6. At the Choose rule type stage:

   6.1. In the Claim rule template field, select Send LDAP Attributes as Claims.

   6.2. Optional: enter a description.

   6.3. Click Next.

7. At the Configure Claim Rule stage:

   7.1. In the Claim rule name field, enter a name for the mapping.

   7.2. In the Attribute Store field, select Active Directory.

   7.3. In the Mapping of LDAP attributes to outgoing claim types block:

   • in the left column, select Token-Groups - Unqualified Names;
   • in the right column, enter groups.

   7.4. Click Finish.

OIDC

1. On the AD FS server, open Server Manager.

2. In the Application Group folder, right-click the Application Group you configured during federation creation and select Properties.

3. In the Applications list, select Web API.

4. Open the Issuance Transform Rules tab.

5. Click Add Rule.

6. At the Choose Rule Type stage, in the Claim rule template field, select Send LDAP Attributes as Claims.

7. At the Configure Claim Rule stage:

   7.1. In the Claim rule name field, enter a name for the mapping.

   7.2. In the Attribute Store field, select Active Directory.

   7.3. In the Mapping of LDAP attributes to outgoing claim types block, in the first column, select Token-Groups - Unqualified Names.

   7.4. In the second column, enter groups.

   7.5. Click Finish.

4. Add users to a group on the identity provider side

Keycloak

1. In the Keycloak control panel, go to the Users section.

2. Open the user page → Groups tab.

3. Click Join Group.

4. Select the group you want to add the user to.

AD FS

1. On the AD FS server, open Active Directory Users and Computers.

2. Select the user you want to add to the group.

3. On the right, in the Actions section, select Properties.

4. Open the Member Of tab.

5. Click Add.

6. Select the group you want to add the user to.

7. Click OK.

Disable group mapping

After disabling group mapping, users will no longer be able to authenticate to the control panel via SSO.

You can re-enable group mapping at any time.

1. In the control panel, on the top menu, click IAM.
2. Go to the Federations section.
3. Open the federation page → Group Mapping tab.
4. In the Settings enabled block, turn off the toggle.

Delete group mapping

After deleting group mapping, users from the identity provider group will no longer be able to authenticate to the control panel via SSO.

If users are added to another Selectel group that has mapping configured, they will retain access as part of the other group's mapping.

1. In the control panel, on the top menu, click IAM.
2. Go to the Federations section.
3. Open the federation page → Group Mapping tab.
4. In the Mapped groups block, in the mapping row, click .
5. Click Save settings.