Mapping Your IdP Groups

This documentation is for Dash Enterprise.
Dash Enterprise is the fastest way to write & deploy Dash apps and
Jupyter notebooks.
10% of the Fortune 500 uses Dash Enterprise to productionize AI and
data science apps. Find out if your company is using Dash Enterprise.

Groups are a convenient way for app owners to give app co-ownership or viewer access to many users at once. As an administrator, you can also use groups to assign roles to many users at once, but we note that we strongly recommend assigning the licensed_user role to users directly.

If you have an external IdP that uses groups, you can map those to Keycloak to have them available in Dash Enterprise.

Prerequisite: Before mapping groups, you’ll need to have configured your IdP in Keycloak.

Configuring Group Mapping

How to map groups varies depending on the IdP and protocol (LDAP, SAML, OIDC) you use.

Select the protocol for your IdP to get started:

Microsoft Entra ID (formerly Azure AD)

SAML

To map your Microsoft Entra ID SAML groups:

  1. In the Azure portal, go to Enterprise applications.

<img>

  1. Select the application you created when you configured your IdP for Keycloak.

  2. Select Set up single sign on.

<img>

  1. Select Edit in the Attributes & Claims panel.

<img>

  1. Select Add a group claim.

<img>

  1. Select the type of groups you want to be available in Dash Enterprise.

  2. For Source attribute select Group ID.

  3. Optional: Under Advanced options, you can set up filters to limit the groups that Dash Enterprise will have access to. See the Group filtering section in Configure group claims for applications by using Microsoft Entra ID in the official Microsoft docs for more details.

  4. Select Save. The Attributes & Claims page is displayed. Copy the claim name for groups. You’ll use this when configuring Keycloak.

<img>

  1. Log in to Keycloak at https://auth-&lt;your-dash-enterprise-server&gt;, and select Identity Providers.

  2. Select your Microsoft Entra ID SAML configuration.

  3. Add an Attribute to Group Mapper:

    • Go to the Mappers tab and select Add mapper.

    • In Name, enter a name for the mapper. It is the name that will be displayed in Keycloak.

    • Set Sync Mode Override to inherit.

    • Set the Mapper Type to Attribute to Group Mapper.

    • In Attribute Name, paste the value copied from Azure in step 9. Leave Friendly Name blank.

    • Set Create groups if not exists to On.

    • Optional: Use Contains text to only include groups that have this text in their name. You can use this for filtering if you have many groups. If your total number of users and groups is greater than 10,000, to help avoid performance issues, we recommend using this to filter out groups not relevant to Dash Enterprise.

  4. Select Save.

Users in More Than 150 Groups

If you have any users that are members of more than 150 groups, you’ll need to complete some additional steps. You’ll need to register a new application, add a client secret, configure permissions for Microsoft Graph, and grant admin consent in Microsoft Entra ID, so you can add an Azure Graph Link to Group Mapper in Keycloak. This is because Microsoft Entra ID responds with a groupLink rather than the group values in these situations, meaning an Azure Graph Link To Group Mapper is required.

Register an Application

Register a new application on Azure.

Add a Client Secret

To add a client secret:

  1. In the Azure portal, go to App registrations, and select your application.
  2. Select Certificates & secrets > Client secrets > New client secret.
  3. Add a description.
  4. Select an expiration for the secret.
  5. Select Add.
    Once you’ve saved the client secret, a Value and Secret ID are displayed. Save these. The value can only be viewed immediately after creation, and you’ll need to add both later in Keycloak.

Configure Permissions for Microsoft Graph

To configure permissions for Microsoft Graph:

  1. In the Azure portal, go to App registrations, and select your application.
  2. In the menu on the left, select API permissions.
  3. Select Add a permission, Microsoft Graph, and then Delegated permissions
  4. Select the User.Read permission.
    <img>

  5. Go to Application permissions. and select Group.Read.All and User.Read.All.
    <img>
    <img>

  6. Select Add permissions.

Grant Admin Consent

  1. In the Azure portal, go to App registrations, and select your application.
  2. Select Overview.
  3. Replace the values in this URL https://login.microsoftonline.com/&lt;tenant-id&gt;/adminconsent?client_id=&lt;client-id&gt; with the tenant ID and client ID from the overview page.
  4. Visit the URL and select Accept.

Add Azure Graph Link to Group Mapper in Keycloak

To add the Azure Graph Link to Group Mapper in Keycloak:

  1. Log in to Keycloak at https://auth-&lt;your-dash-enterprise-server&gt;, and select Identity Providers.
  2. Select your Microsoft Entra ID SAML configuration.

  3. Add an Azure Graph Link to Group Mapper:

    • From the Mappers tab, select Create.

    • Set the Mapper Type to Azure Graph Link to Group Mapper

    • In Name, enter groupLink.

    • Set Sync Mode Override to inherit.

    • For Tenant ID, add the Tenant ID displayed on your app’s overview page in Azure.

    • For Client ID, add the Secret ID that was displayed when you created a client secret.

    • For Client Secret, add the Value that was displayed when you created a client secret.

    • For Attribute Name, enter http://schemas.microsoft.com/claims/groups.link

    • Set Create groups if not exists to On.

    • Optional: Use Contains text to only include groups that have this text in their name. You can use this for filtering if you have many groups. If your total number of users and groups is greater than 10,000, to help avoid performance issues, we recommend using this to filter out groups not relevant to Dash Enterprise.

  4. Select Save.

The IdP groups you mapped will only be available in Dash Enterprise once a member of the group logs in.

OIDC

To map your Microsoft Entra ID OIDC groups:

  1. In the Azure portal, select App registrations.

  2. Select the application you created when you configured your IdP for Keycloak.

  3. Go to Token configuration.

  4. Select Add groups claim.

  5. Select the type of groups you want available in Dash Enterprise.

  6. Under Customize token properties by type, select Group ID for both ID and Access.

    We recommend using Group ID for the token property. You can use another property if you have access to it in your Azure instance.

  7. Select Add. The Token configuration page is displayed. Copy the Claim for the groups claim.
    <img>

  8. Log in to Keycloak at https://auth-&lt;your-dash-enterprise-server&gt;, and select Identity Providers.

  9. Select your Microsoft Entra ID OIDC configuration.

  10. Add a Claim to Group Mapper:

    • Go to the Mappers tab and select Add mapper.

    • In Name, enter a name for the mapper. It is the name that will be displayed in Keycloak for the mapper.

    • Set Sync Mode Override to inherit.

    • Set the Mapper Type to Claim to Group Mapper.

    • In Claim, paste the value copied from Azure in step 7.

    • Set Create groups if not exists to On.

    • Optional: Use Contains text to only include groups that have this text in their name. You can use this for filtering if you have many groups. If your total number of users and groups is greater than 10,000, to help avoid performance issues, we recommend using this to filter out groups not relevant to Dash Enterprise.

  11. Select Save.

The IdP groups you mapped will only be available in Dash Enterprise once a member of the group logs in.

Okta

LDAP

To map your Okta LDAP groups:

  1. In Okta, go to Directory > Directory Integrations, select your LDAP Interface and copy the Group Base DN:
    <img>

  2. Log in to Keycloak at https://auth-&lt;your-dash-enterprise-server&gt; and go to User Federation.

  3. Select your Okta LDAP configuration.
  4. Go to the Mappers tab and select Add mapper.
  5. Enter a name for the mapper.
  6. Set the Mapper Type to group-ldap-mapper.
  7. Fill out the remainder of the mapper form:
    - In LDAP Groups DN, paste the Group Base DN copied from Okta in step 1.
    - In Group Object Classes, enter groupofUniqueNames
    - Set Ignore Missing Groups to On.
    - In Membership LDAP Attribute, enter uniqueMember
    - Optional: You can use LDAP Filter to restrict the groups imported to Keycloak to specific groups. See the Okta reference docs for details on group filters.

    If your total number of users and groups is greater than 10,000, to help avoid performance issues, we recommend using this to filter out groups not relevant to Dash Enterprise.
    - Leave the remaining fields with their default values.

  8. Select Save.

  9. Optional: Perform a first sync of groups by selecting Sync LDAP Groups To Keycloak.

The IdP groups you mapped will only be available in Dash Enterprise once a member of the group logs in.

SAML

To map your Okta SAML groups:

  1. In Okta, go to the Applications page (Applications > Applications).

  2. Select the application you created when you configured your IdP for Keycloak.

  3. From the General tab, select Edit in the SAML settings section.

  4. Go to Next and in the Group Attribute Statements section, for Name enter groups, for Filter select Matches regex and enter .* as the regex value. This returns all groups.

<img>

  1. Go to Next and select Finish to save the group attribute.

  2. Log in to Keycloak at https://auth-&lt;your-dash-enterprise-server&gt;, and select Identity Providers.

  3. Select your Okta SAML configuration.

  4. Add an Attribute to Group Mapper:

    • Go to the Mappers tab and select Add mapper.

    • In Name, enter a name for the mapper. It is the name that will be displayed in Keycloak.

    • Set Sync Mode Override to inherit.

    • Set the Mapper Type to Attribute to Group Mapper.

    • In Attribute Name, enter groups. This is the value added in Okta in step 4. Leave Friendly Name blank.

    • Set Create groups if not exists to On.

    • Optional: Use Contains text to only include groups that have this text in their name. You can use this for filtering if you have many groups. If your total number of users and groups is greater than 10,000, to help avoid performance issues, we recommend using this to filter out groups not relevant to Dash Enterprise.

  5. Select Save.

The IdP groups you mapped will only be available in Dash Enterprise once a member of the group logs in.

OIDC

To map your Okta OIDC groups:

  1. In Okta, go to the Applications page (Applications > Applications).

  2. Select the application you created when you configured your IdP for Keycloak.

  3. From the Sign On tab, select Edit in the OpenID Connect ID Token panel.

  4. Select Filter as the groups claim type.

  5. For the groups claim filter fields, enter groups, select Matches regex and enter .*. This returns all groups. For detail on other options, such as using expressions instead of filters, see the Okta documentation.

<img>

  1. Log in to Keycloak at https://auth-&lt;your-dash-enterprise-server&gt;, and select Identity Providers.

  2. Select your Okta OIDC configuration.

  3. Add a Claim to Group Mapper:

    • Go to the Mappers tab and select Add mapper.

    • In Name, enter a name for the mapper. It is the name that will be displayed in Keycloak for the mapper.

    • Set Sync Mode Override to inherit.

    • Set the Mapper Type to Claim to Group Mapper.

    • In Claim, enter groups. This is the groups claim name from Okta that you set in step 5.

    • Set Create groups if not exists to On.

    • Optional: Use Contains text to only include groups that have this text in their name. You can use this for filtering if you have many groups. If your total number of users and groups is greater than 10,000, to help avoid performance issues, we recommend using this to filter out groups not relevant to Dash Enterprise.

  4. Select Save.

The IdP groups you mapped will only be available in Dash Enterprise once a member of the group logs in.

Auth0 (Using Auth0 Authorization Extension)

Note: If you are using the Auth0 Authorization extension with SAML for groups, you can map those groups into Dash Enterprise with the following steps. OIDC is not currently supported.

SAML

To map your Auth0 Authorization SAML groups:

  1. In Auth0, go to the Applications page (Applications > Applications).

  2. Select the application you created when you configured your IdP for Keycloak.

  3. Go to Addons and select SAML2 Web App.

  4. Go to the Settings tab and copy the value for “groups”.

    <img>

  5. Log in to Keycloak at https://auth-&lt;your-dash-enterprise-server&gt;, and select Identity Providers.

  6. Select your Auth0 SAML configuration.

  7. Add an Attribute to Group Mapper:

    • Go to the Mappers tab and select Add mapper.

    • In Name, enter a name for the mapper. It is the name that will be displayed in Keycloak.

    • Set Sync Mode Override to inherit.

    • Set the Mapper Type to Attribute to Group Mapper.

    • In Attribute Name, paste the value copied from Auth0 in step 4. Leave Friendly Name blank.

    • Set Create groups if not exists to On.

    • Optional: Use Contains text to only include groups that have this text in their name. You can use this for filtering if you have many groups. If your total number of users and groups is greater than 10,000, to help avoid performance issues, we recommend using this to filter out groups not relevant to Dash Enterprise.

  8. Select Save.

The IdP groups you mapped will only be available in Dash Enterprise once a member of the group logs in.

Using Groups

Once a group is mapped from your IdP and a member of the group has logged in to Dash Enterprise (SAML and OIDC), or you’ve synced the groups (LDAP), you’ll see that group listed on the Groups page.

<img>

To view group details, select the group. Members displays the group members. Role mapping is where you can assign and unassign roles to all the group members at once. See Assigning Roles for more information on roles.

App owners can now use groups to control app co-ownership and viewer access in the Dash Enterprise App Manager.