Skip to main content
Deutsch English

Creating roles and rights for single sign-on (SSO)

Sabine Hanneforth
  • Updated

You can configure roles for your AEB product. You have three different options when assigning roles:

  • Option 1: Roles assigned in your IdP.
  • Option 2: Roles assigned in the AEB product.
  • Option 3: Default role when logging in.

In addition, mixing these solutions in a hybrid model is also possible. More information can be found in the “Hybrid model” section.

Option 1: Roles assigned in your IdP

This option offers you the greatest flexibility for assigning roles within the system. It’s up to you to determine the form in which this occurs (groups, attributes). The roles are emitted in the token and a mapping takes place during sign-on to the AEB products.

Advantage: You have full control over role assignment and greater flexibility in assigning roles to your employees, as not every user has to be created and linked manually in the AEB product. This makes it easier to manage a large number of users.

Disadvantage: The application owner must have the technical capacity to assign the roles.

The following graphic provides an overview of the technical correlations:

Option 2: Roles assigned in the AEB product

With this option, you manage your roles in the AEB product and assign them to linked users. The corresponding user must already exist as a linked account in your AEB product or, if you’re using nEXt, the user must be defined beforehand through an initial login.

Advantage: The application owner has the option to assign roles in the AEB product itself.

Disadvantage: The application owner is responsible for manually creating each user as a linked account beforehand. When there are many users, manual role assignment therefore can sometimes become impractical.

The following graphic provides an overview of the technical correlations:

Option 3: Default role used during login

All users are assigned the same role during login. This is a default role that grants basic access. Further control of which user has access to the application is carried out in your identity provider.

Advantage: You don’t need to configure any roles. This option is useful if most users need the same role and you don’t wish to configure any roles on your end.

Disadvantage: Static assignment is quite inflexible.

Hybrid model

You can also assign a default role to a majority of users and assign roles locally to certain users.

Example:

  • You have 100 employees working in compliance.
  • 95 employees need the same rights.
  • 5 employees need administrator rights.

Solution:

  • AEB assigns a default role to all employees in the AEB IAM.
  • You create employees with different roles as linked objects in the AEB product and assign them the necessary roles.

How do I set up single sign-on (SSO)?

The following setup step is then required to set up single sign-on:

  1. Setting up single sign-on via identity and access management. You can find configuration examples in the following articles:
    Setting up single sign-on (SSO) via Microsoft Azure Active Directory via OpenID Connect
    Setting up single sign-on (SSO) via Microsoft AD FS

Previous steps for setting up single sign-on (SSO)

  1. Implementing single sign-on (SSO) via an identity and access management system
  2. Setting up endpoint for single sign-on (SSO)

Related articles

Comments

Please sign in to leave a comment.