Skip to main content
Map IdP Groups to piplanning.io Teams

Map the Identity Provider (IdP) Groups to Teams within piplanning.io via OIDC

Updated over 3 months ago

IMPORTANT
Once you have configured an OIDC Group Name for a piplanning.io Team you can only manage the Team via the Identity Provider (IdP).

To add or remove Users manually, clear the OIDC Group Name field first.

How to setup OIDC Group to piplanning.io Team mapping

With OIDC Group Mapping the following rules apply:

  • Users are automatically added or removed to the corresponding piplanning.io Team during the [Users] login process.

  • Your Identify Provider (IdP) becomes the single source of truth in this configuration.

Prerequisites

  • Ensure the IdP (providing the OIDC connection) returns a Group claim. Adjust the scope in the OIDC configuration in the RTE Cockpit > SSO if necessary.

  • A detailed guide for allowing Okta Group to be read by piplanning.io is below.

  • Ensure you complete the OIDC configuration to enable piplanning.io to read the Okta Groups. This Help Article to set up and enable Okta Groups to be read by piplanning.io is a very useful guide.

NOTE

Automatic Group mapping is currently supported for Okta and Microsoft's Entra ID.


Allow Okta Groups to be read by piplanning.io

  1. In the RTE Cockpit, navigate to Organization > Teams

  2. Edit the Team that you want to map to an OIDC Group

  3. Open the OpenID Connect Group tab under the Add members section

  4. Enter the Group name: Type in the Group name from your IdP in the OIDC Group name field.

  5. Assign a piplanning.io Role in the Group role field.

Do this to specify the default [piplanning.io] Role that will be assigned to all Users, of that Group / Team mapping, during login.

OIDC Group Name and piplanning.io Role assigned with OIDC Group Mapping configuration at the piplanning.io Team level.

IMPORTANT

OIDC Group names are case-sensitive

By following these steps, Users in the specific OIDC Groups will be automatically added to the respective Team, and assigned the respective Role upon login to piplanning.io.


piplanning.io Role Handling

piplanning.io Roles are global across the platform. For instance, if a user is part of multiple teams with different roles—like Member for Team A and Observer for Team B—they will be assigned the highest privilege role available (in this case, Member).


Example of piplanning.io Teams and Role mapping to OIDC Groups

An in-depth example is provided to clarify how teams and role mapping operate when integrating with an IDP. Please click on the image to enlarge.

piplanning.io Team and IdP Group assignment using OIDC protocol with SSO

Did this answer your question?