Gemfury can automatically assign membership roles to users based on their group claims sent by your Identity Provider in the SAML assertion. This lets you control access levels without manually assigning roles to each new user.
How It Works
Group mapping is configured with two settings on your SAML provider:
| Setting | Description |
|---|---|
| Group Mapping | A mapping of IdP group names to Gemfury roles. |
| Default Role | Fallback role (Download only) when no group mapping matches. |
Each time a user logs in via SAML, Gemfury resolves their role from the groups in the assertion as follows:
- If group mapping is not configured, or the IdP sent no groups, the default role is assigned.
- Each of the user’s groups is looked up in the mapping.
- If no groups match, the default role is assigned.
- If one group matches, that group’s role is assigned.
- If multiple groups match, the highest-privilege role wins.
This runs on every login, not only the first — see When Roles Are Assigned below for existing members.
Available Roles
| Role | Permissions | Privilege |
|---|---|---|
| Owner | Full access including organization administration | Highest |
| Upload/download | Upload and download packages | ↓ |
| Download only | Download packages only | Lowest |
Configuration Example
A group mapping that assigns roles based on three IdP groups:
| IdP Group | Gemfury Role |
|---|---|
admins |
Owner |
engineering |
Upload/download |
viewers |
Download only |
With this mapping, a user who belongs to both viewers and engineering in
the IdP receives Upload/download because it outranks Download only.
| User’s IdP Groups | Resolved Role | Reason |
|---|---|---|
admins |
Owner | Direct match |
engineering |
Upload/download | Direct match |
viewers, engineering
|
Upload/download | Highest-privilege match |
admins, viewers
|
Owner | Highest-privilege match |
marketing |
(default role) | No match in mapping |
| (none) | (default role) | No groups sent by IdP |
When Roles Are Assigned
When group mapping is configured, a member’s role is re-synced from their IdP groups on every login, not just when they first join. Moving a user between mapped groups changes their role — both promotions and demotions — on their next sign-in.
| Scenario | Result |
|---|---|
| First SAML login, no existing membership | Role set from group mapping |
| Subsequent SAML login, membership exists | Role re-synced from current groups |
| User’s IdP groups change | Role updated (promoted or demoted) on next login |
| User’s role was manually changed by owner | Overwritten by group mapping on next login |
| Group mapping not configured | Role left unchanged |
groups attribute missing or misnamed |
Role left unchanged (ignored) |
Group mapping is authoritative. When configured, it overrides manual role changes — a role edited in the dashboard is overwritten by the group-derived role on the user’s next login. Role sync only changes the role; it never removes a membership. To revoke access entirely, remove the user via SCIM or the Gemfury dashboard.
IdP Configuration
These steps are in addition to the base IdP configuration.
Your IdP must include a multi-valued attribute named groups in the SAML
assertion. Each value is a string representing a group name. Group names must
exactly match the keys in your Gemfury group mapping (case-sensitive).
Example SAML attribute:
<saml:Attribute Name="groups">
<saml:AttributeValue>engineering</saml:AttributeValue>
<saml:AttributeValue>admins</saml:AttributeValue>
</saml:Attribute>
Okta
Add a Group Attribute Statement in the Gemfury SAML application:
- Go to your Gemfury application in Okta → SAML Settings
- Under Group Attribute Statements, add an entry:
-
Name:
groups -
Filter: select Matches regex with
.*to send all groups, or use a more specific filter to limit which groups are included
-
Name:
- Save and update the metadata in Gemfury if needed
Microsoft Entra ID (Azure AD)
Configure a groups claim in the SAML token:
- In the Gemfury enterprise application, go to Single sign-on → Attributes & Claims
- Add a group claim
- Select which groups to include (e.g., Groups assigned to the application)
- Under Source attribute, select Cloud-only group display names so that human-readable names are sent instead of Object IDs
- Set the Name of the claim to
groups
Google Workspace
Use SAML attribute mapping to include group memberships:
- In the Gemfury SAML app settings, go to Attribute mapping
- Add a mapping for Group membership with the attribute name
groups - Select the groups to include
Disabling Group Mapping
If group mapping is not configured, all SAML-provisioned users receive the default role. This is appropriate when:
- Your IdP does not send group claims
- You prefer to assign roles manually after provisioning
- All SAML users should have the same access level