Configuring SSO groups & Roles for restricted ticket access

Purplepass automatically detects standard group and role claims passed by your identity provider (IdP) during SSO login, with no special claim labeling required on your end. This article covers the claim naming conventions Purplepass looks for.

For an overview of how groups, roles, custom claims, and flags work together to restrict ticket access, see Restricting Ticket Access with SSO: Groups, Roles, Custom Claims & Flags.

Default claim names Purplepass recognizes

Purplepass automatically reads group and role information whenever the claim name passed by your IdP matches one of the patterns below.

Groups

Purplepass treats a claim as a group claim when the claim name ends with either:

• groups
• claims/groups

Example: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

Roles

Purplepass treats a claim as a role claim when the claim name ends with either:

• roles
• claims/roles

Example: http://schemas.microsoft.com/ws/2008/06/identity/claims/roles

Singular and plural forms are both supported

Most identity providers send the plural form (groups, roles), but some send the singular form (group, role). Purplepass supports both, so you don't need to adjust your IdP's default naming convention.

Example

Your IdP passes a group claim named FacultyStaff, or a role claim named Undergraduate. In the Purplepass dashboard, you'd create an SSO group targeting FacultyStaff or Undergraduate, then restrict the relevant ticket type to that group. Anyone whose group or role claim matches will be granted access.

Need more granular targeting?

Groups and roles work well for broad, ongoing categories. If you need to target users by a specific attribute value (such as a graduation term) or a simple yes/no condition, see Configuring SSO Custom Claims & Flags for Restricted Ticket Access.

See Restricting Ticket Access with SSO: Groups, Roles, Custom Claims & Flags for instructions on how to target access based using SSO.