Goal

Confirm whether DX NetOps Portal supports group-based attribute mapping when using SAML 2.0 Single Sign-On (SSO) and provide configuration alternatives.

Question

Does NetOps Portal SSO using SAML support groups from the Identity Provider (IdP)? If yes, how is it configured?

• Product: DX NetOps Performance Management
• Component: NetOps Portal
• Feature: SAML 2.0 Authentication for SSO

Currently, the DX NetOps Portal does not support groups in SAML SSO configurations. While an Identity Provider (IdP) can be configured to send group attributes in a SAML assertion, the NetOps Portal implementation is not designed to process or map these group claims to internal roles or permissions.

Workaround / Recommendation

If you need to restrict or manage access based on groups, consider the following two options:

1. Restrict Access at the IdP Level (Recommended)

Most Identity Providers (such as Microsoft Entra ID/Azure, Okta, or ADFS) allow you to restrict application access to specific users or groups. By requiring user assignment at the IdP level:

• Only users belonging to the authorized "NetOps" (example name) group in your IdP will be granted a token.
• Unauthorized users are blocked by the IdP and never reach the NetOps Portal login stage.

2. Use LDAP Authentication

If your requirement is for the NetOps Portal to perform internal role mapping based on group membership, use LDAP authentication instead of SAML. Unlike the SAML implementation, NetOps Portal LDAP configurations natively support LDAP group references for user authorization.