AireIdentity

Appearance

Mapping Rules

When a user logs in, the claims from the external identity provider are checked against the mapping rules defined for the tenant. If a claim matches a rule, the corresponding AireIdentity role is assigned to the user.

This allows you to control user access and permissions based on attributes provided by the external identity provider.

Configuring Mapping Rules

To configure mapping rules, navigate to the Providers tab under the Tenant section in the navigation bar. Select the provider you want to configure mapping rules for by clicking on its name. Then, click on the Mapping Rules tab.

You can enable or disable mapping rules using the toggle button at the top of the page and add new rules by clicking the Add Rule button.

You must select all the roles that you want to be available for mapping.

Rules and Conditions

You can add multiple rules. For each rule, you can specify conditions based on claims. Each condition requires a claim/attribute name, a condition (equals, contains, starts with, ends with), and a value to match against.

For each rule, you must specify an environment and one or more roles to assign if the conditions are met. You must also specify whether ALL conditions must be met, or ANY condition can be met for the rule to apply.

Example

In the screenshot below, if a user logs in with a claim role that equals admin, they will be assigned the Tenant Admin role in the Production environment.

Mapping rules

Role Mapping Behavior

There are two options for role mapping behavior when a user logs in:

  1. Append: The specified existing roles for the user are preserved, and the roles will be added for any matching rules.

  2. Replace: The specified roles for the user are first cleared, and the roles will be added for any matching rules.

INFO

This only applies to users logging in via the external identity provider where these rules are configured. Users logging in with local credentials (username/password) or other providers will retain their existing roles.

WARNING

Note: If no rules match, the user will not be assigned any roles. This may result in the user being unable to access the tenant if they do not have any other roles assigned.