SAML single sign-on for Gemfury βeta

Group Mapping

Gemfury can automatically assign membership roles to users based on their group claims sent by your Identity Provider in the SAML assertion. This lets you control access levels without manually assigning roles to each new user.

How It Works

Group mapping is configured with two settings on your SAML provider:

Setting Description
Group Mapping A mapping of IdP group names to Gemfury roles.
Default Role Fallback role (Download only) when no group mapping matches.

Each time a user logs in via SAML, Gemfury resolves their role from the groups in the assertion as follows:

  1. If group mapping is not configured, or the IdP sent no groups, the default role is assigned.
  2. Each of the user’s groups is looked up in the mapping.
  3. If no groups match, the default role is assigned.
  4. If one group matches, that group’s role is assigned.
  5. If multiple groups match, the highest-privilege role wins.

This runs on every login, not only the first — see When Roles Are Assigned below for existing members.

Available Roles

Role Permissions Privilege
Owner Full access including organization administration Highest
Upload/download Upload and download packages
Download only Download packages only Lowest

Configuration Example

A group mapping that assigns roles based on three IdP groups:

IdP Group Gemfury Role
admins Owner
engineering Upload/download
viewers Download only

With this mapping, a user who belongs to both viewers and engineering in the IdP receives Upload/download because it outranks Download only.

User’s IdP Groups Resolved Role Reason
admins Owner Direct match
engineering Upload/download Direct match
viewers, engineering Upload/download Highest-privilege match
admins, viewers Owner Highest-privilege match
marketing (default role) No match in mapping
(none) (default role) No groups sent by IdP

When Roles Are Assigned

When group mapping is configured, a member’s role is re-synced from their IdP groups on every login, not just when they first join. Moving a user between mapped groups changes their role — both promotions and demotions — on their next sign-in.

Scenario Result
First SAML login, no existing membership Role set from group mapping
Subsequent SAML login, membership exists Role re-synced from current groups
User’s IdP groups change Role updated (promoted or demoted) on next login
User’s role was manually changed by owner Overwritten by group mapping on next login
Group mapping not configured Role left unchanged
groups attribute missing or misnamed Role left unchanged (ignored)

Group mapping is authoritative. When configured, it overrides manual role changes — a role edited in the dashboard is overwritten by the group-derived role on the user’s next login. Role sync only changes the role; it never removes a membership. To revoke access entirely, remove the user via SCIM or the Gemfury dashboard.

IdP Configuration

These steps are in addition to the base IdP configuration. Your IdP must include a multi-valued attribute named groups in the SAML assertion. Each value is a string representing a group name. Group names must exactly match the keys in your Gemfury group mapping (case-sensitive).

Example SAML attribute:

<saml:Attribute Name="groups">
  <saml:AttributeValue>engineering</saml:AttributeValue>
  <saml:AttributeValue>admins</saml:AttributeValue>
</saml:Attribute>
Okta

Add a Group Attribute Statement in the Gemfury SAML application:

  1. Go to your Gemfury application in Okta → SAML Settings
  2. Under Group Attribute Statements, add an entry:
    • Name: groups
    • Filter: select Matches regex with .* to send all groups, or use a more specific filter to limit which groups are included
  3. Save and update the metadata in Gemfury if needed
Microsoft Entra ID (Azure AD)

Configure a groups claim in the SAML token:

  1. In the Gemfury enterprise application, go to Single sign-onAttributes & Claims
  2. Add a group claim
  3. Select which groups to include (e.g., Groups assigned to the application)
  4. Under Source attribute, select Cloud-only group display names so that human-readable names are sent instead of Object IDs
  5. Set the Name of the claim to groups
Google Workspace

Use SAML attribute mapping to include group memberships:

  1. In the Gemfury SAML app settings, go to Attribute mapping
  2. Add a mapping for Group membership with the attribute name groups
  3. Select the groups to include

Disabling Group Mapping

If group mapping is not configured, all SAML-provisioned users receive the default role. This is appropriate when:

  • Your IdP does not send group claims
  • You prefer to assign roles manually after provisioning
  • All SAML users should have the same access level

Next