piplanning.io

IMPORTANT Once you have configured an OIDC Group Name for a piplanning.io Team you can only manage the Team via the Identity Provider (IdP). ​ To add or remove Users manually, clear the OIDC Group Name field first.

How to setup OIDC Group to piplanning.io Team mapping

With OIDC Group Mapping the following rules apply:

Users are automatically added or removed to the corresponding piplanning.io Team during the [Users] login process.

Your Identify Provider (IdP) becomes the single source of truth in this configuration.

- Users are automatically added or removed to the corresponding piplanning.io Team during the [Users] login process. 
- Your Identify Provider (IdP) becomes the single source of truth in this configuration.

Ensure the IdP (providing the OIDC connection) returns a Group claim. Adjust the scope in the OIDC configuration in the RTE Cockpit &gt; SSO if necessary.

A detailed guide for allowing Okta Group to be read by piplanning.io is below.  

Ensure you complete the OIDC configuration to enable piplanning.io to read the Okta Groups. This <a href="https://help.piplanning.io/en/articles/109251-enable-okta-group-reading">Help Article to set up and enable Okta Groups to be read by piplanning.io</a> is a very useful guide.

- Ensure the IdP (providing the OIDC connection) returns a Group claim. Adjust the scope in the OIDC configuration in the RTE Cockpit &gt; SSO if necessary. 
- A detailed guide for allowing Okta Group to be read by piplanning.io is below. 
- Ensure you complete the OIDC configuration to enable piplanning.io to read the Okta Groups. This <a href="https://help.piplanning.io/en/articles/109251-enable-okta-group-reading">Help Article to set up and enable Okta Groups to be read by piplanning.io</a> is a very useful guide.

Automatic Group mapping is currently supported for Okta and Microsoft's Entra ID.

___________________________________________________________

Allow Okta Groups to be read by piplanning.io

In the RTE Cockpit, navigate to Organization &gt; Teams

Edit the Team that you want to map to an OIDC Group

Open the OpenID Connect Group tab under the Add members section

Enter the Group name: Type in the Group name from your IdP in the OIDC Group name field.

Assign a piplanning.io Role in the Group role field.

1. In the RTE Cockpit, navigate to Organization &gt; Teams
2. Edit the Team that you want to map to an OIDC Group
3. Open the OpenID Connect Group tab under the Add members section

4. Enter the Group name: Type in the Group name from your IdP in the OIDC Group name field. 
5. Assign a piplanning.io Role in the Group role field.

Do this to specify the default [piplanning.io] Role that will be assigned to all Users, of that Group / Team mapping, during login.

OIDC Group Name and piplanning.io Role assigned with OIDC Group Mapping configuration at the piplanning.io Team level.

OIDC Group names are case-sensitive

By following these steps, Users in the specific OIDC Groups will be automatically added to the respective Team, and assigned the respective Role upon login to piplanning.io.

piplanning.io Roles are global across the platform. For instance, if a user is part of multiple teams with different roles—like Member for Team A and Observer for Team B—they will be assigned the highest privilege role available (in this case, Member).

Example of piplanning.io Teams and Role mapping to OIDC Groups

An in-depth example is provided to clarify how teams and role mapping operate when integrating with an IDP. Please click on the image to enlarge.

How to setup OIDC Group to piplanning.io Team mapping

Prerequisites

Allow Okta Groups to be read by piplanning.io

piplanning.io Role Handling

Example of piplanning.io Teams and Role mapping to OIDC Groups