DO NOT DISTRIBUTE
This article is for Cadmium employees and contractors ONLY and should not be distributed.
Understanding Group Control in Elevate with SSO
When using Elevate Groups on an SSO-enabled site, each group can be configured individually to be either: SSO-controlled – Group membership is determined automatically based on data passed through the SSO connection. Manually controlled – Admins or managers assign users directly, either individually or via CSV upload.
IMPORTANT NOTE
A single group must be exclusively one or the other.
If a user is manually assigned to an SSO-controlled group but their SSO data does not indicate membership, they will be automatically removed from that group upon their next login.
Organizations may choose to manage all groups in one consistent way or use a hybrid model with both SSO-driven and manually managed groups. From a technical perspective, opting out of SSO-driven group control altogether is the simplest configuration.
Setting Up SSO-Controlled Groups
To enable SSO-controlled group membership, Cadmium must be involved in the configuration process. While this can be set up at any time, it is strongly recommended to plan your group membership needs during the initial SSO setup for the site.
To get started, contact your Account Manager or email elevate-support@gocadmium.com.
NOTE
This setup requires developer involvement and will incur additional implementation fees.
Standard SSO Group Membership Requirements
For Elevate to recognize and manage group membership via SSO, the SSO assertion must include a user attribute that meets the following criteria:
- Field Type: Must support an array or multi-value string format.
- Each value must correspond to a valid Elevate Group identifier.
- Cardinality: Must support zero, one, or many group values per user.
- Consistency: Values must exactly match what the admin has entered in the Group set up as the “Value in SSO field”.
This design supports scalable group management. New groups can be added in Elevate without modifying the SSO integration—just update the values passed in the group field.
NOTE
Group Portals are secured using their own security certificates. For this to properly function, you will either need to ensure that a DNS wildcard is available for your Group Portal URL’s or you will need to coordinate each new Group Portal domain with Cadmium.
Custom SSO Group Membership Integration
While the standard approach outlined above is ideal, we recognize that SSO capabilities vary widely across AMS platforms and identity providers. Cadmium offers custom SSO group membership integration to accommodate non-standard setups.
NOTE
Additional development work and fees may apply for custom configurations.
Configuring SSO group Membership
Once the SSO integration is complete, administrators can configure specific Elevate Groups to support SSO-driven membership (Fig 1).
Follow the steps below to enable SSO Group Membership:
- Navigate to the Group Configuration screen.
- On the Basic tab, check the box labeled: “Membership in this group is controlled by SSO.”
- In the field labeled “Value in SSO field <fieldname> for this Group,” enter the exact value that will be passed in the SSO assertion for this group.
- Click Save.
Fig. 1 - Configuring SSO group Membership
IMPORTANT NOTE
The value entered must exactly match the value sent in the SSO assertion—this includes case sensitivity and spacing.
Any mismatch will prevent users from being correctly assigned to the group via SSO.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article