API Gateway 10.11 | Administering API Gateway | Operating API Gateway | System Settings | SAML SSO | How to enable SAML SSO in API Gateway? | Precedence in Group Mapping
 
Precedence in Group Mapping
This use case explains the precedence involved in mapping the logged in SSO users to API Gateway groups based on the SAML assertion.
*Precedence order in mapping the IdP group in the SAML assertion to API Gateway group
1. API Gateway checks whether a group mapping exists in the SSO - Group Mapping configuration for the group in the SAML assertion. If the group mapping exists, then the user is automatically mapped to target group specified in the SSO.
2. If the group mapping does not exist in the SSO - Group Mapping configuration, then API Gateway checks whether the group exists in the API Gateway. If the group exists in the API Gateway, then the user is mapped to that group.
3. If there is no group specified in the SSO - Group Mapping configuration, and if the group does not exist in API Gateway, then the user is mapped to the default, Everybody group.