Mapping SSO_STS roles to Spectrum Technology Platform roles

Before mapping roles, ensure that you have enabled STS and SSO_STS authentication. If you are using the Location Intelligence Module, you must also update the Jackrabbit configuration file. For more information see Using SSO_STS or Active Directory for Authentication.

When you configure Spectrum™ Technology Platform to use AD FS STS or AD FS SSO for authentication, by default, the role values must match the Spectrum™ Technology Platform role names, exactly in order, for the role to be granted. For example, to grant the designer role, the role you specify must be "designer."

You can map non-matching SSO_STS role values to an existing Spectrum™ Technology Platform role name. You can also map an SSO_STS role value with the same name as a Spectrum™ Technology Platform role to a different role. For example, one of the built-in roles is "designer." If you have an SSO_STS role value that is also named "designer," but you want it to map to another role, you could create a role map.

To map an SSO_STS role value to an existing Spectrum role:

  1. Open a Web browser and go to http://server:port/jmx-console, where:
    • server is the IP address or host name of your Spectrum™ Technology Platform server.
    • port is the HTTP port used by Spectrum™ Technology Platform. The default is 8080.
  2. Select this property: com.pb.spectrum.platform.common.security.role:mappings=RoleMappings
    This property is visible only when you enable LDAP or SSO_STS authentication, and the Spectrum™ Technology Platform server is fully started.
  3. In the addMapping section, in the value field, enter the SSO_STS role value to map to a Spectrum™ Technology Platform role.
  4. In the roleName field, enter the Spectrum™ Technology Platform role to map to the LDAP attribute value.
  5. Click Invoke.
    Users who have been assigned an SSO_STS role will now be granted the role you specified for them the next time they log in to Spectrum™ Technology Platform.

    To remove a mapping, enter the LDAP attribute you want to un-map in the value field in the removeMapping section in JMX console.