Advanced SSO Features

Dynamic Permissioning with a Groups Claim

notion image
CreateiQ provides a method of managing your users' permissions using a groups claims provided by your corporate directory.
When this option is enabled, CreateiQ will disallow any SSO logins that lack a claim called 'groups' in the SAML Response from the SSO Identity Provider that you configure for your organisation in CreateiQ.

Technical Requirements

Exact name of the expected claim in SAML Responses: groups
Expected group names:
Exactly one group name beginning Role-:
  • Role-Super_manager
  • Role-Manager
  • Role-Read_only_manager
  • Role-Editor
  • Role-Approver
Zero to many group names beginning Ws-: These should be followed by the UUID of the CreateiQ Workspace(s) that a user should be able to access.
An easy way to view the UUIDs of all workspaces that exist in your account is to review the response of the context API call for a Super Manager user in CreateiQ when the application is refreshed. They're referenced as subAccounts.
Note: For the Super Manager role, which implicitly has access to all workspaces, the Ws- groups will be ignored.

More information coming soon

This document is an early draft. We're working closely with CreateiQ customers that requested this feature to apply it in their organisations. If your organisation is interested in using this feature please reach out to support@createiq.tech before activating it so that our team can support you.