Skip to main content
SAML Group Mapping lets you define rules on a Frontend Group so that users are automatically added to that group when a SAML attribute in their login response matches a specified value. This is useful when your identity provider (e.g. Okta, Azure AD) already organizes users by department, role, or other attributes that you want to reflect as Curator Frontend Group membership without manual assignment.

Prerequisites

  • SAML Authentication must be enabled on your Curator instance.
  • The SAML attributes you want to match must be included in your identity provider’s assertion. You do not need to configure those attributes under Authentication Settings > SAML Attributes — SAML Group Mapping works independently of the Custom Attributes feature.

Configuring SAML Group Rules

  1. Log in to the backend of your Curator instance (e.g. https://www.curatorexample.com/backend).
  2. Navigate to Settings > Users > Frontend Groups.
  3. Open an existing group or click New Frontend Group to create one.
  4. Scroll down to the SAML Groups section.
  5. Click Add Item under SAML Attribute Rules to add a rule.
  6. Enter the Attribute name exactly as it appears in the SAML response (e.g. department).
  7. Enter the Value that should trigger membership (e.g. Finance).
  8. Repeat for any additional rules. A user matching any rule will be added to the group.
  9. Click Save.

How Membership Is Applied

Membership is evaluated in two ways:
  • On login: When a user authenticates via SAML, Curator immediately checks their SAML attributes against all group rules and adds them to any matching groups. This is the primary sync path and ensures membership is current by the time the user’s session begins.
  • Batch sync: Curator’s scheduled group membership sync also evaluates SAML rules by querying SAML attributes stored against each user record. This allows groups to be updated on a schedule without requiring every user to log in first.

Important: New Rules and Batch Sync

Curator only stores the SAML attribute keys that are actively referenced in at least one group rule. This keeps personally identifiable information (PII) to a minimum — attributes not used by any rule are never written to the database. As a consequence, if you add a new rule referencing an attribute that was not previously configured in any group, that attribute will not yet be present in stored user records. Batch sync will not be able to match users against the new rule until those users log in again and their stored attributes are refreshed. To apply a new rule immediately without waiting for each user to log in, you can trigger a manual membership sync after the affected users have logged in, or notify users to log in and then run the sync. This limitation does not affect the on-login sync path — users will always be evaluated against the current rules the moment they authenticate.

Relationship to Custom Attributes

SAML Group Mapping and Custom Attributes are separate features that both read from the SAML response. Custom Attributes pass values through to your analytic platforms (e.g. for Tableau USERATTRIBUTE() filtering). SAML Group Mapping uses attribute values solely to determine Curator Frontend Group membership. You can use both features with the same or different attributes.