To help clarify how it might work in a typical scenario, follow this simple example task using Microsoft Azure as the IdP (OpenIdConnect) and two common role-based user groups, Editors and Administrators.
 

Before you begin

This example focuses on group mapping and assumes that you have already completed basic setup of Access Management and the Azure IdP.

In Azure, the prerequisites are as follows:

• The Access Management is registered as an application.
• The ID token Access Management is configured to include the "groups" claim (it is not included by default)
• There are two Azure groups (for example purposes only) called Administrators and Editors, which we will map to the corresponding groups in Content Manager.

In Tridion Sites, the prerequisites are as follows:

• Access Management integration with Content Manager is enabled and fully configured.
• The application URLs for Content Manager Explorer and Experience Space are defined in Access Management.
• Azure is appropriately configured as an Identity Provider in Access Management.

Note: For details on all the various options you have for defining access through Access Management and any IdP, refer to the related topics. Refer to the Microsoft documentation for guidance on Azure tasks.
 

Procedure

1 - In Microsoft Azure, go to the Groups area within the Azure Active Directory and locate the groups to be mapped.

The following screen capture illustrates the two sample groups we are using for this example:

Keep this window open for use in a later step.

2- Open your Tridion Sites website.

3 - From the slide-out navigation, select Access Management.
The Identity providers tab shows a list of existing IdPs.

4 - Select the Azure IdP and open it for editing.

5 - Define the "Administrators" group, as follows:

• In the Access settings section, select Add claim.
  Fields appear in which you can define a type:value pair.
• In the Type field, type "groups."  (Note: if it would have been SAML, it would have been for example: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups)
• Switch to the Azure Groups window, open the Administrators group, and copy its Object Id to your clipboard.
• Return to Access Management, and paste the value to the Value field.
• In the list of Applications, select the Tridion Sites Classic (UI only) and Tridion Sites Experience Space.
• In the list of Services and Roles, for Tridion Sites Content Manager API, select Administrator.

 

The following screen capture illustrates the steps you just completed:

With these settings, any user in this group will be able to log in to a Content Manager (Classic or Experience Space) application and will be part of the System Administrators group.

The Administrator role in Access Management is pre-mapped to the System Administrator user group in the Content Manager Explorer, so no additional mapping is needed.

6 - Define the Azure "Editor" group, as follows:

• In the Forwarded claims section, click Add forwarded claim.
• In the field that appears, enter "groups".
• In the Access settings section, select Add claim.
• In the Type field, type "groups."
• Switch to the Azure Groups window, open the Editors group, and copy its Object Id to your clipboard.
• Return to Access Management, and paste the value to the Value field.
• In the list of Applications, select Tridion Sites Classic (UI only) and Tridion Sites Experience Space.
• In the list of Services and Roles, for Tridion Sites Content Manager API, select User.

The following screen capture illustrates the steps you just completed:
 

This step gives the Azure "Editors" group only general access to Content Manager applications with no rights and permissions.

You still need to complete the remaining steps to map the group and give its members actual rights and permissions in the system.

This is different that for Administrators.

 

7- Select Save.

Access Management returns you to the list of identity providers.

8 - From the slide-out navigation, select Content Explorer.

9 - Go to Administration > User Management > Groups.

10 - Open the "Editors" group for editing, and do the following:

• Go to the Members tab.
• At the bottom of the screen in the Group Mapping Configurations area, select Add.
• Enter the following to define the forwarded claim for "Editors":

 

• Select Add.

• In the ribbon, select Save and Close.

Identity Provider

Select Tridion.AccessManagement (applies to any IdP that is configured through Access Management).

Claim Type

Type "groups" (same as in Access Management).

Claim Value

Paste the contents to the Value field (same as in Access Management).

Description

Optionally, add text to describe the purpose of the mapping
 

You are returned to the Members tab where it now shows the new group mapping, as in the following screen capture:

Results

You have now mapped two Azure groups, Administrators and Editors, to the Content Manager groups System Administrator and Editor.
To verify the mappings, open a new browser window in incognito mode, and try logging in to Content Manager Explorer as two different users, each belonging to one of the mapped groups.
Once in Content Manager, you can check that you have System Administrator access or only editor-level access by the presence or absence of the Administration panel in the left navigation area.