Add a new idea Subscribe
Categories User Management
Created by Tobias Månsson
Created on Nov 13, 2025

RELATED IDEAS

[SSO] Map Active Directory Roles to Inriver Roles

How: Introduce a configuration interface where administrators can:

  • Select one or more Active Directory roles / security groups.

  • Map each AD role/group to a corresponding Inriver Role.

  • Define precedence rules in case a user belongs to multiple AD groups.

  • Optionally disable the current single default role logic.

When a user signs in via SSO:

  1. Inriver reads the user’s AD roles or groups from the SAML / OIDC claim.

  2. Inriver assigns the corresponding Inriver Role based on the admin-defined mapping.

  3. If no mapping exists, the user receives the default role (existing logic).

  4. If no default role is configured, the user gets no access, consistent with how Inriver handles unmapped default roles today.

Why: Today, Inriver supports only one default SSO role per environment, which:

  • Forces all first-time domain users into the same permission level.

  • Requires manual post-provisioning updates in Control Center.

  • Creates security risks because users may temporarily receive too much or too little access.

  • Does not reflect typical enterprise RBAC models based on identity provider roles.

Mapping AD roles to Inriver roles automates permissions, reduces admin overhead, and ensures users have the correct access the moment they log in.

For Who:

  • System administrators

  • IAM / security teams

  • Implementation partners managing customer environments

Impact:

  • Reduced administrative burden: No need to manually adjust roles for every new SSO user.

  • Improved security: Users only receive permissions aligned with their AD roles.

  • Scalability: Handles enterprise-level user management using existing identity provider processes.

  • Reduced support tickets: Less confusion over incorrect access or missing permissions.

Technical impact:

  • Requires reading additional claims from the SSO provider (SAML/OIDC).

  • Requires backend logic to match AD roles → Inriver roles.

  • Requires UI changes to allow admins/partners to configure mappings.

  • Existing default-role behavior remains but becomes optional or fallback.

Additional context: Based on Inriver’s documentation:

  • All domain users automatically receive a default inriver role upon first login.

  • Only one default role can be assigned per environment.

  • Default roles are only available if activated manually by Inriver.

  • Without a default role, new SSO users cannot access the environment at all.

This feature request extends that capability by enabling granular RBAC mapping, removing reliance on a single default role.

  • Attach files