Gemfury can automatically assign membership roles to users based on their group claims sent by your Identity Provider in the SAML assertion. This lets you control access levels without manually assigning roles to each new user.
How It Works
Group mapping is configured with two settings on your SAML provider:
| Setting | Description |
|---|---|
| Group Mapping | A mapping of IdP group names to Gemfury roles. |
| Default Role | Fallback role (Download only) when no group mapping matches. |
When a user logs in via SAML for the first time and is provisioned into your organization, Gemfury resolves their role as follows:
- If group mapping is not configured, or the IdP sent no groups, the default role is assigned.
- Each of the user’s groups is looked up in the mapping.
- If no groups match, the default role is assigned.
- If one group matches, that group’s role is assigned.
- If multiple groups match, the highest-privilege role wins.
Available Roles
| Role | Permissions | Privilege |
|---|---|---|
| Owner | Full access including organization administration | Highest |
| Upload/download | Upload and download packages | ↓ |
| Download only | Download packages only | Lowest |
Configuration Example
A group mapping that assigns roles based on three IdP groups:
| IdP Group | Gemfury Role |
|---|---|
admins |
Owner |
engineering |
Upload/download |
viewers |
Download only |
With this mapping, a user who belongs to both viewers and engineering in
the IdP receives Upload/download because it outranks Download only.
| User’s IdP Groups | Resolved Role | Reason |
|---|---|---|
admins |
Owner | Direct match |
engineering |
Upload/download | Direct match |
viewers, engineering
|
Upload/download | Highest-privilege match |
admins, viewers
|
Owner | Highest-privilege match |
marketing |
(default role) | No match in mapping |
| (none) | (default role) | No groups sent by IdP |
When Roles Are Assigned
Group-based roles are assigned only at initial provisioning — when a membership is first created for the user. Once a user has a membership in your organization, subsequent SAML logins do not change their role.
| Scenario | Result |
|---|---|
| First SAML login, no existing membership | Role set from group mapping |
| Subsequent SAML login, membership exists | Role unchanged |
| User’s role was manually changed by owner | Role unchanged |
| User’s IdP groups change after provisioning | Existing role preserved |
| User was previously invited and accepted | Existing role preserved |
To change a user’s role after provisioning, an organization owner must update it manually in the Gemfury dashboard.
IdP Configuration
These steps are in addition to the base IdP configuration.
Your IdP must include a multi-valued attribute named groups in the SAML
assertion. Each value is a string representing a group name. Group names must
exactly match the keys in your Gemfury group mapping (case-sensitive).
Example SAML attribute:
<saml:Attribute Name="groups">
<saml:AttributeValue>engineering</saml:AttributeValue>
<saml:AttributeValue>admins</saml:AttributeValue>
</saml:Attribute>
Okta
Add a Group Attribute Statement in the Gemfury SAML application:
- Go to your Gemfury application in Okta → SAML Settings
- Under Group Attribute Statements, add an entry:
-
Name:
groups -
Filter: select Matches regex with
.*to send all groups, or use a more specific filter to limit which groups are included
-
Name:
- Save and update the metadata in Gemfury if needed
Microsoft Entra ID (Azure AD)
Configure a groups claim in the SAML token:
- In the Gemfury enterprise application, go to Single sign-on → Attributes & Claims
- Add a group claim
- Select which groups to include (e.g., Groups assigned to the application)
- Under Source attribute, select Cloud-only group display names so that human-readable names are sent instead of Object IDs
- Set the Name of the claim to
groups
Google Workspace
Use SAML attribute mapping to include group memberships:
- In the Gemfury SAML app settings, go to Attribute mapping
- Add a mapping for Group membership with the attribute name
groups - Select the groups to include
Disabling Group Mapping
If group mapping is not configured, all SAML-provisioned users receive the default role. This is appropriate when:
- Your IdP does not send group claims
- You prefer to assign roles manually after provisioning
- All SAML users should have the same access level