Associate Identity Provider Groups to C3 Agentic AI Platform Roles
The C3 Agentic AI Platform enables you to configure rules that map groups from the Identity Provider (IdP) to roles in the C3 AI Platform.
The C3 Agentic AI Platform updates a user's role membership when they log into the C3 Agentic AI Platform using Security Assertion Markup Language (SAML) 2.0. Groups contained in the SAML 2.0 assertion can be mapped to C3 AI roles, and those roles can be assigned to the user during the SAML authentication flow.
Prerequisites
Before you can map SAML groups, you must configure SAML authentication.
Passing group memberships in the SAML 2.0 assertion
Group memberships for each user are passed from the IdP to C3 AI in the SAML assertion which C3 AI accepts as part of the SAML 2.0 authentication flow. The C3 Agentic AI Platform requires IdP group membership to be declared using the groups group claim.
Below is an example of a SAML 2.0 attribute statement that specifies the user is a member of the ReliabilityEngineer and AdministerModelOperations groups in the identity provider:
<saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue>ReliabilityEngineer</saml2:AttributeValue>
<saml2:AttributeValue>AdministerModelOperations</saml2:AttributeValue>
</saml2:Attribute>Consult your identity provider's documentation on how to send the Group's attribute.
All assertion keys can be configured through SamlAssertionAttributeKeys that is defined on the SamlSettings on the SamlIdpConfig
Associating IdP groups to C3 AI user groups
You can map IdP groups to C3 AI user groups used by the C3 Agentic AI Platform and Applications.
Add a SAML group mapping
To add a mapping between a C3 AI user group and a SAML group:
UserGroup.forId("<C3UserGroupId>").addIdpGroupForIdp(SamlIdpConfig.forId("<appUrl>"), "<idpGroup>");Remove a SAML group mapping
To remove a SAML group mapping:
UserGroup.forId("<C3UserGroupId>").removeIdpGroupForIdp(SamlIdpConfig.forId("<appUrl>"));