Managing Mapping Rules
In Veeam Service Provider Console, mapping rule is a set of parameters that identifies a user by claim values in the SAML assertion and apply a specific role to an identity of that user. If a suitable user identity does not exist, Veeam Service Provider Console creates a new user identity with applied role.
Mapping rule is selected by matching claim values in the SAML assertion and in the rule configuration in the following order:
- All mapping rules.
- All enabled rules.
- Rules with matching additional attributes.
- Rules with matching organization attribute.
- Rules for roles available in the matching organization.
- Rules with the highest number of additional attributes.
- Rule with the maximum privileges.
Required Privileges
To perform the following tasks, a user must have the following role assigned: Portal Administrator.
To configure a mapping rule:
- Log in to Veeam Service Provider Console.
For details, see Accessing Veeam Service Provider Console.
- At the top right corner of the Veeam Service Provider Console window, click Configuration.
- In the configuration menu on the left, click Roles & Users.
- On the My Company or Managed Companies tab, navigate to SSO Rules.
- At the top of the rules list, click New.
The New Authorization Rule wizard will open.
- At the Rule Info step of the wizard, specify a name and description for the user identity.
- At the Role step of the wizard, from the Role drop-down list, select a role that will be applied to the user.
For details on user roles, see Managing Administrator Portal Users.
- At the next step, select companies or locations that must be assigned to a user:
- At the Companies step of the wizard, you can select, which scope of companies is available to the user. To do that:
- Select the Selected companies only option.
- Click the (Configure...) link.
The Companies window will open.
- Select the companies that the user can manage and click Apply.
Note that you cannot assign companies managed by resellers to Portal Operators and Read-only Users.
- [For the Location Administrator and Location User user roles] At the Locations step of the wizard, you can assign locations listed in the claim on the IdP side to a user identity. To do that:
- Select the Receive locations list from the identity provider option.
- In the Specify claim with the managed locations list field, specify the name of the IdP claim that contains a list of locations separated by semicolons.
Location list is compared with the set of the locations assigned to a company of a user. Matching locations are assigned to an SSO user identity.
- At the Conditions step of the wizard, specify the name of the attribute that will be matched with the claim attribute containing the alias or name of the user organization.
You can provide additional mappings for more accurate rule selection. To do that:
- Click Add.
- In the Claim field, specify the name of the claim attribute.
- From the Expression drop-down list, select the expression type.
- In the Value field, specify the claim attribute value.
Note that for Regular expression expression type, you must specify the value in the .NET regular expression format. For details, see Microsoft Documentation.
You can add any number of additional mappings.
- Click Next.
- Review configured mapping rule and click Finish.
Important! |
For IdP to successfully identify authorizing users, you must provide an email address of each user in the IdP service and in Veeam Service Provider Console. For details on how to add email address to a user profile in Veeam Service Provider Console, see Filling User Profile. |
Note: |
For users with the Service Provider Global Administrator and Company Owner roles assigned, new identities will not be created if matching identities are not found. To avoid authorization issues, make sure that email addresses are specified in the related company profiles as described in the Step 2. Specify Reseller Details and Step 2. Specify Company Details sections. |
Editing Mapping Rules
To edit mapping rule configuration:
- Log in to Veeam Service Provider Console.
For details, see Accessing Veeam Service Provider Console.
- At the top right corner of the Veeam Service Provider Console window, click Configuration.
- In the configuration menu on the left, click Roles & Users.
- On the My Company or Managed Companies tab, navigate to SSO Rules.
- Select a mapping rule from the list.
- At the top of the list, click Edit.
Alternatively, you can right-click the necessary mapping rule and choose Edit.
The Edit Authorization Rule wizard will open.
- Modify mapping rule settings as described in Creating Mapping Rules.
- Click Finish.
Deleting Mapping Rules
You can delete mapping rules. After you delete a mapping rule, all user identities created using the rule are also deleted.
To delete a mapping rule:
- Log in to Veeam Service Provider Console.
For details, see Accessing Veeam Service Provider Console.
- At the top right corner of the Veeam Service Provider Console window, click Configuration.
- In the configuration menu on the left, click Roles & Users.
- On the My Company or Managed Companies tab, navigate to SSO Rules.
- Select a mapping rule from the list.
- At the top of the list, click Remove.
Alternatively, you can right-click the necessary mapping rule and choose Remove.
Disabling Mapping Rules
To prevent user identities created with a mapping rule from accessing Veeam Service Provider Console, you can disable that rule:
- Log in to Veeam Service Provider Console.
For details, see Accessing Veeam Service Provider Console.
- At the top right corner of the Veeam Service Provider Console window, click Configuration.
- In the configuration menu on the left, click Roles & Users.
- On the My Company or Managed Companies tab, navigate to SSO Rules.
- Select a mapping rule from the list.
- At the top of the list, click Disable.
Alternatively, you can right-click the necessary mapping rule and choose Disable.
Viewing Mapping Rule Details
To view details on configured mapping rules:
- Log in to Veeam Service Provider Console.
For details, see Accessing Veeam Service Provider Console.
- At the top right corner of the Veeam Service Provider Console window, click Configuration.
- In the configuration menu on the left, click Roles & Users.
- On the My Company or Managed Companies tab, navigate to SSO Rules.
Each mapping rule in the list is described with the following set of properties:
- Rule Status — mapping rule status.
- Rule Name — name of the mapping rule.
- Role — user role for which the mapping rule is configured.
- Mapping Conditions — number of mapping conditions.
You can click this property, to view details of the mapping conditions.
- Managed Companies — list of companies that are managed by the user.
- Identity Provider — display name of the IdP.
- Identity Provider Status — status of the IdP.
- Description — mapping rule description.
Importing and Exporting Identity Provider Mapping Rules
You can export mapping rules configured for an IdP and import them to another IdP. To do that:
- Log in to Veeam Service Provider Console.
For details, see Accessing Veeam Service Provider Console.
- At the top right corner of the Veeam Service Provider Console window, click Configuration.
- In the configuration menu on the left, click Security.
- Open the Single Sign-On tab.
- Select the identity provider whose mapping rules you want to export.
- From the Configuration drop-down list, select Export Mapping Rules.
Alternatively, you can right-click the necessary identity provider, choose Configuration and select Export Mapping Rules.
The JSON file containing mapping rules will be automatically downloaded to your computer.
- Select the identity provider to which you want to import mapping rules.
- From the Configuration drop-down list, select Import Mapping Rules.
Alternatively, you can right-click the necessary identity provider, choose Configuration and select Import Mapping Rules.
The file explorer window will open.
- Select the previously downloaded JSON file.