IDP Group Mappings

External IDP group mappings connect groups from your identity provider (LDAP, OIDC, Active Directory) to RAMP application roles. When a user belonging to a mapped external group logs in, they automatically receive the associated RAMP roles without manual assignment.

How Mappings Work

The mapping process follows this flow:

1. A user logs in through an external identity provider (LDAP, OIDC, or Windows Auth).
2. RAMP reads the user’s group memberships from the identity provider.
3. RAMP checks if any of those groups have been mapped to RAMP roles.
4. If a match is found, the user automatically receives the mapped RAMP roles.

This means that role assignment is driven by your existing identity provider group structure, reducing manual administration.

Tip

IDP group mappings are especially valuable in large organizations where group memberships are already managed in Active Directory or a cloud identity provider. Changes to group membership in the IDP are reflected in RAMP the next time the user logs in.

Creating a Mapping

1. Navigate to Tenants, then select the tenant.
2. Open the External IDP Mappings tab.
3. Click Add Mapping.
4. Select the external IDP group from the directory. If directory browsing is enabled, you can search for groups directly. Otherwise, you will see only groups from users who have previously logged in.
5. Select the RAMP application role to assign.
6. Click Save.

Example Mappings

Here are common mapping patterns:

External IDP Group	RAMP Role	Purpose
RAMP-Admins	Administrator	Grant admin access to IT staff
RAMP-Operators	GlobalInstanceExecutor	Allow operations team to execute all instances
RAMP-Viewers	GlobalTemplateViewer	Give read-only access to all templates
RAMP-Template-Editors	GlobalTemplateEditor	Allow engineers to edit all templates
Release-Managers	GlobalInstanceHead	Grant full instance control to release managers
QA-Team	GlobalTemplateApprover	Allow QA team to approve template versions

Note

Each mapping connects one external group to one RAMP role. To assign multiple roles based on a single group, create multiple mapping entries for the same external group.

Group Sync

When directory browsing is enabled for an OIDC or LDAP provider, RAMP can synchronize group information from the external provider.

Automatic Sync

Group memberships are automatically refreshed when a user logs in. RAMP reads the user’s current group memberships from the identity provider and updates the local cache accordingly.

Manual Sync

To refresh the full group list from the provider:

1. Navigate to the tenant’s External IDP Groups tab.
2. Click Sync to pull the latest groups from the identity provider.
3. Review the updated group list.

Caution

Manual sync fetches the group structure from the identity provider. For large directories, this may take a moment to complete. Group memberships for individual users are still updated on login.

Automatic Role Assignment

When a mapping is in place, the role assignment process is fully automatic:

1. User logs in through the mapped identity provider.
2. RAMP reads groups from the identity provider token or directory.
3. Mappings are evaluated to determine which RAMP roles apply.
4. Roles are assigned to the user’s session.
5. User sees content based on their effective permissions.

If the user’s group membership changes in the external IDP (added to or removed from a group), the updated roles take effect the next time the user logs in and receives a new token.

Note

Role changes from IDP mappings require a new login session. If a user’s group membership changes while they are logged in, they will not see the updated permissions until they log out and log back in.

Editing and Removing Mappings

Editing a Mapping

To change the RAMP role associated with an external group:

1. Navigate to the External IDP Mappings tab.
2. Click on the mapping you want to modify.
3. Change the RAMP role.
4. Click Save.

Removing a Mapping

Removing a mapping stops the automatic role assignment for that external group. Users who previously received roles through the mapping will lose those roles on their next login.

1. Navigate to the External IDP Mappings tab.
2. Click Delete on the mapping you want to remove.
3. Confirm the deletion.

Troubleshooting

Roles Not Applying for External IDP Users

If users from mapped groups are not receiving the expected roles:

1. Verify the mapping — check that the external group name matches exactly.
2. Check group membership — confirm the user is a member of the external group in the identity provider.
3. Require re-login — role changes require a new token. Ask the user to log out and log back in.
4. Check directory browsing — if using CachedOnly mode, the group may not be visible until a member has logged in.

External Groups Not Appearing

1. Has the user logged in at least once? (Required for CachedOnly mode.)
2. Is directory browsing enabled for the OIDC provider?
3. Is the Admin API Endpoint configured correctly?
4. Does the OAuth2 client have the necessary API permissions?

Next Steps

After configuring IDP mappings, review provisioned members to see which external users have been automatically created in the tenant.

Related topics

Auth Providers Configure per-tenant authentication providers and enable directory browsing

Provisioned Members View and manage users automatically provisioned from identity providers

Users & Groups Create users, organize into groups, and assign roles within a tenant