Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  1. Fotoware Alto
    • 11.14 Schreckhorn
    • Terminology
    • Solutions
    • User Guide - Deutsch
    • User Guide - English
    • API Changelog
  2. Fotoware Veloz
    • Managing users and groups
    • Configuring archives
    • Configuring workflows
    • Configuring site behavior
    • Navigating and searching to find your assets
    • Working with your assets
    • Editing asset metadata
    • Uploading files
    • Version Control in Fotoware
    • Albums - Creating and sharing collections
    • Placing assets in a CMS
    • Working with the Fotoware Pro interface
    • Using the Fotoware plugins
    • Consent management
    • User guide to FotoWeb for iPad (Legacy)
    • Picture conferencing with FotoWeb Screens (Legacy)
    • What's what in Fotoware
    • GDPR
    • Fotoware Veloz releases
    • Activity Exports
    • Fotoware Example Workflows
  3. Fotostation
    • Getting started with Fotostation
    • Viewing, selecting and sorting files
    • Managing your assets with archives
    • Adding metadata to assets
    • Searching for assets
    • Working with your assets
    • Version Control in Fotostation
    • Automating tasks with Actions
    • Configuring metadata fields and editors
    • Configuring Fotostation
    • Configuring Fotostation for multi-user environments
    • Troubleshooting Fotostation
  4. Fotoware Flow
    • What is Flow?
    • Getting started
    • Flow dictionary
  5. Fotoware On-Premises
    • Getting started
    • Index Manager
    • FotoWeb
    • Color Factory
    • Connect
    • Operations Center Guide
  6. Integrations and APIs
    • The Fotoware API
    • Creating integrations using embeddable widgets
    • Authorizing applications using OAuth
    • Auto-tagging
    • FotoWeb Drag and Drop export
    • Integration using webhooks
    • Optimizely and Episerver plugin documentation
    • User Interface Integrations
  7. Fotoware Mobile
    • User guide for Fotoware Mobile for iPhone and Android
    • User guide to FotoWeb for iPad (Legacy)
    • User guide to FotoWeb for iPhone and Android (Legacy)

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  • Support

Table of Contents

Default groups Linked groups Configuring a linked group Example: Mapping AD groups to Fotoware groups in Microsoft ADFS How are groups synchronized? Example: How to assign different user licenses to different user groups?
  • Home
  • Fotoware Veloz
  • Managing users and groups
  • Configuring authentication providers and single sign-on in Fotoware
  • SAML authentication

Managing groups using SAML

Learn how to transfer group membership to FotoWeb using ADFS or another Identity Provider (IdP).

11. April 2025

Elaine Foley

Table of Contents

Default groups Linked groups Configuring a linked group Example: Mapping AD groups to Fotoware groups in Microsoft ADFS How are groups synchronized? Example: How to assign different user licenses to different user groups?

There are two available options when managing groups with SAML. These are described below and can also be combined. 

SAML has no concept of groups, instead groups are assigned based on SAML attributes and attribute mapping controls which SAML attribute is used for group assignment. Typically, this is an attribute which can have multiple values, but this is not required. The name of the attribute depends on the identity provider. 

Default groups

These are groups that are configured in Fotoware's SAML settings interface in the site configuration.

Go to Site Configuration > Security > Single Sign-on.

By defining at least one default group, all users who log in with SAML will be allowed access and placed in these default Fotoware groups on import.

For example, you can create a SAML Users group in Fotoware and add it as a default group. All users who log in using SAML SSO are placed in this group and assigned access to the system accordingly. In the example above, two default groups are defined:Everyoneand Registered users. Users imported via SAML will be placed in these groups and assigned a license and permissions according to these groups' settings.

Linked groups

These are Fotoware groups that are linked to groups in the SAML Identity provider (IdP). When using ADFS, IdP is Active Directory.
When a user logs in with SAML SSO, they are added to one or more linked groups based on the group information obtained from the IdP.

For example, you can create a group called FW-Editorsin Fotoware and configure it as a linked group so that all members of the Active Directory group AD-Editors are added to the corresponding FW-Editors group in Fotoware when they log in. This way, groups can be managed in the IdP, synced to Fotoware, and used for fine-grained access control based on group membership or other attributes set in the IdP.

Configuring a linked group

  1. Create a group in Fotoware.
  2. Set the group permissions, the license to apply to the group, and any parent group that the group should be ne sted in.
  3. In the group details, use the group attribute value that comes from the IdP as the SAML group name. In the example below, the value served by the IdP is adfs_editors.
  4. In the identity provider, configure an attribute mapping rule that sets the groups attribute to Editors for all users that are to be added to the Fotoware Editorsgroup. For more information, see SAML - Fotoware Attribute Mapping.

How to perform this last step depends on the identity provider. For example, in Microsoft ADFS, you can add a claim rule (which is called an attribute mapping in SAML) of type Send group membership as claim, select an Active Directory group to be linked to the Fotoware group, set the outgoing claim type (= SAML attribute mapping) to Groups (or whatever SAML Property name is used for the Fotoware Member of (Group) property - see the screenshot above) and set the outgoing claim value to the value that corresponds to the SAML group name in the group details in Fotoware.

This is described below. For more information, see the Microsoft documentation: https://docs.microsoft.com/en-us/win...hip-as-a-claim. 

In the following, ADFS is used to illustrate the attributes that need to be mapped. However, the same can be accomplished by configuring Fotoware with a SAML interface toward other Identity Providers.

Example: Mapping AD groups to Fotoware groups in Microsoft ADFS

  1. In the ADFS manager, right-click the selected trust and select Edit Claim Issuance Policy.
  2. The Claim Issuance Policy dialog opens. Add one rule for every group you'd like to link to Fotoware.

    Note: In the above example, entry 3 in the list is the group claim. How to set up entries 1 and 2 (LDAP and Name ID mapping) is described later in this article.
  3. Select Add Rule... to create a new rule.
  4. From the drop-down list, choose Send Group Membership as a Claim.
  5. Enter the following information:

Claim rule name: The nameused to identify the rule. Enter a name that allows you to easily identify it later.

Choice of group: Select the group to be synced to Fotoware. Use the Browse button to select a group in the identify provider (AD)

Outgoing claim type: Select the SAML Attribute Name corresponding to the Fotoware Member of (Groups) property - it's typically called groups unless you've changed the default value. See the first screenshots in the article for details. This allows Fotoware to identify the transferred claim as a group attribute.

Outgoing claim value: Enter a unique name to identify the group when linking it to a group in Fotoware. It does not have to have the same name as the group; the value should be identical to the SAML group name specified in the Fotoware group (adfs_editors was used in the example Fotoware group above - as in the example below),

It is also possible to specify multiple groups in the groups attribute separated by commas. For example, a value of group1,group2 will cause the user to be added to the linked groups where the SAML group name is group1 or group2. How to set the attribute like this depends on the identity provider. To our knowledge, it is not easily possible in ADFS.

  1. Select OK. 

How are groups synchronized?

On login, the user will be removed from any linked groups that have a SAML group name that is not listed in the groups attribute. This allows an administrator to revoke a user's access to resources in Fotoware by, for example, removing the user from a group in Active Directory. In no event is the user removed from any groups that do not have a SAML group name (i.e. that are not linked groups).

A user is permitted to log in to Fotoware via SAML SSO if and only if the user is added to at least one linked group, OR if at least one default group is configured.

This means that if any default groups are configured, then all users that can successfully sign in via SAML SSO have permission to log in to Fotoware, and if no default groups are configured, then membership of linked groups can be used to control access to Fotoware in general. Note that most SAML identity providers have configurable access control of their own as well, so it is possible to configure access control even when using default groups.

Example: How to assign different user licenses to different user groups?

Based on the information above, this example illustrates how to control the assignment of user licenses (Standard, Plus, Pro) based on group membership in the IdP. Note that the example is based on Fotoware Feature Release 13 - it won't work with previous versions.

  1. Create a group called AD Pro Users in Active Directory and add all users/groups that should receive a pro license to it.
  2. Create a group called FW Pro Users in Fotoware and set the default license to Pro.
  3. Set the SAML name of the group to pro_users.
  4. In ADFS, create a new Send Group Membership as a Claim rule.
  5. Select the AD group AD Pro Users.
  6. Set outgoing claim type (= SAML Attribute name) to groups (enter it manually, do not select from the drop-down list).
  7. Set outgoing claim value to pro_users.

Licenses can now be managed in AD by adding/removing users/groups to/from the AD Pro Users group.

(All the names and identifiers can be varied. Names here are chosen as placeholders to illustrate which names must match and not). 

saml group management

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Setting up SAML authentication
  • Setting up SSO with Microsoft Entra ID
  • Groups and access control for Microsoft Entra ID
  • SAML - Fotoware Attribute Mapping
eco-lighthouse-miljøfyrtårn

Company

  • About us
  • Resellers
  • Careers
  • Contact us

Help & support

  • Support center
  • Consultancy
  • Tech partners
  • Fotostation
  • System status

Trust Center

  • Legal
  • Security
  • Sustainability & ESG

Locations

Fotoware AS (HQ)
Tollbugata 35
0157 OSLO
Norway
FotoWare Switzerland AG
Industriestrasse 25
5033 Buchs (AG)
Switzerland

Copyright 2025 Fotoware All rights reserved.

  • Terms of service
  • Privacy policy
  • Cookie policy

Knowledge Base Software powered by Helpjuice

Expand