From 90640350ed488fcdb1a21c1cf3bf0e997aaa39b0 Mon Sep 17 00:00:00 2001 From: Mateusz Mandera Date: Mon, 14 Jul 2025 03:32:39 +0800 Subject: [PATCH] help: Add instructions for Okta-side configuration for SAML group sync. Also update plans and features table. Follow-up to #34671. --- help/saml-authentication.md | 52 +++++++++++++++++++ .../comparison_table_integrated.html | 11 ++++ templates/corporate/pricing_model.html | 2 +- 3 files changed, 64 insertions(+), 1 deletion(-) diff --git a/help/saml-authentication.md b/help/saml-authentication.md index e8cb98f451..fd9eec8a38 100644 --- a/help/saml-authentication.md +++ b/help/saml-authentication.md @@ -213,6 +213,57 @@ providers. Once SAML has been configured, consider also [configuring SCIM](/help/scim). +## Synchronizing group membership with SAML + +You can configure each Zulip user's [groups](/help/user-groups) to be updated based +on their groups in your Identity Provider's (IdP's) directory every time they +log in. + +Your IdP directory's group names don't have to match the associated Zulip group +names (e.g., membership in your IdP's group **finance** can be synced to +membership in the Zulip group **finance-department**). + +How Zulip translates received SAML groups to Zulip group memberships +is detailed in the [relevant section][saml-group-sync-readthedocs] the +main SAML documentation. [Contact support](/help/contact-support) with any questions. + +!!! tip "" + + It should be possible to set this up with any provider. If you're interested + in using this functionality with a provider other than Okta, reach out to + [support@zulip.com](mailto:support@zulip.com). + +{start_tabs} + +{tab|okta} + +1. Follow the instructions [above](#configure-saml) to configure SAML, and go to + the application you created for using SAML with Zulip in your + **Applications** menu. + +1. Select the **General** tab, and **Edit** the **SAML Settings** section. + +1. Proceed through the prompts until the main **Configure SAML** prompt. + +1. Scroll down below the **Attribute Statements** section (which you configured + when creating the app) to **Group Attribute Statements**. + +1. Add the following attribute: + * **Name**: `zulip_groups` + * **Name format**: `Unspecified` + * **Filter**: `Matches regex: .*` + + When a user signs in to Zulip via SAML, Okta will now include a list of the + user's groups in its response to the Zulip server. + +1. To enable this feature, please email + [support@zulip.com](mailto:support@zulip.com) with the following information: + * Your Zulip organization URL. + * Which groups should be synced from your IdP's directory. + * Which groups should have a different name in Zulip (if any). + +{end_tabs} + ## Related articles * [SAML configuration for self-hosting][saml-readthedocs] @@ -220,3 +271,4 @@ providers. * [Moving to Zulip](/help/moving-to-zulip) [saml-readthedocs]: https://zulip.readthedocs.io/en/stable/production/authentication-methods.html#saml +[saml-group-sync-readthedocs]: https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#synchronizing-group-membership-with-saml diff --git a/templates/corporate/comparison_table_integrated.html b/templates/corporate/comparison_table_integrated.html index 3deb9bc604..3f08fc98f5 100644 --- a/templates/corporate/comparison_table_integrated.html +++ b/templates/corporate/comparison_table_integrated.html @@ -799,6 +799,17 @@ + + SAML group sync + + + + + + + + + SCIM user sync diff --git a/templates/corporate/pricing_model.html b/templates/corporate/pricing_model.html index 09860e1fb0..e043fce415 100644 --- a/templates/corporate/pricing_model.html +++ b/templates/corporate/pricing_model.html @@ -379,7 +379,7 @@
  • Unlimited mobile notifications
  • Email, chat and phone support for:
  • SSO with OpenID Connect
    • -
  • AD/LDAP group sync
    • +
  • AD/LDAP and SAML group sync
  • SCIM sync
  • Implementation consulting
  • Custom feature development