WorkOS Docs Homepage
RBAC
API referenceDashboardSign In
OverviewOverviewConfigurationConfigurationIntegrationIntegrationOrganization RolesOrganization RolesIdP Role AssignmentIdP Role Assignment
API Reference
API Reference
Events
Events
Integrations
Integrations
Migrate to WorkOS
Migrate to WorkOS
SDKs
SDKs

IdP Role Assignment

Map identity provider groups to roles to automatically assign roles to users

On this page

  • Overview
  • Role assignment sources
    • Directory Sync
    • SSO
  • AuthKit integration
  • Priority order
  • Explicit vs. default role assignments
  • Role assignment in Admin Portal

Overview

Identity Provider (IdP) role assignment is the process of mapping identity provider groups to roles to automatically assign roles to users.

Users are assigned to groups via the identity provider. Groups usually correspond to roles in your app. Therefore, IT admins will often map a group one-to-one to a role. This can be defined within the WorkOS dashboard or Admin Portal for your application to receive automatic role updates.

Role assignment sources

Directory Sync

Roles can be assigned from the identity provider via Directory Sync through directory group role assignment. Admins can map groups to roles in the Admin Portal during SCIM and Google Workspace directory setup. You can also manage these assignments in the WorkOS Dashboard.

Enterprise organizations typically use SSO to manage user authentication and SCIM (Directory Sync) for user lifecycle management. While access management can be automated through either SSO or SCIM, SCIM is generally the preferred option due to its real-time synchronization capabilities.

SSO

Roles can be assigned from the identity provider via SSO through SSO group role assignment. Admins can map groups to roles in the Admin Portal during SSO connection setup. You can also manage these assignments in the WorkOS Dashboard.

A key limitation of SSO-based role assignment is that changes made in the identity provider (IdP) only take effect after the user re-authenticates. In contrast, SCIM propagates changes immediately without requiring user interaction, enabling applications to revoke sessions and enforce access updates in real time.

If your organization has a directory connection configured, it is recommended to use the directory for role assignment.

AuthKit integration

If you are integrating with AuthKit, our full user management solution, roles are automatically assigned to the appropriate organization membership. These roles are also reflected in the user’s session token, ensuring consistent access control across your application.

When using SSO group role assignment, roles are populated on the organization membership through SSO groups, allowing role assignment based on your customer’s identity provider configuration each time a user authenticates.

When using Directory Sync group role assignment, roles are populated on the organization membership through directory provisioning, allowing for seamless, real-time role assignment based on your customer’s identity provider configuration.

Priority order

If a user is provisioned from multiple groups with conflicting roles, the role with the highest priority will be assigned.

Edit role priority dialog

Explicit vs. default role assignments

Explicit role assignments are created by manually mapping an IdP group to a role in the WorkOS Admin Portal or Dashboard.

Default role assignments are created for any IdP group that does not have an explicit role mapping. Default group role assignments are always mapped to the configured default role.

Role assignment in Admin Portal

You can choose to show or hide the role assignment step in Admin Portal, and whether to show the steps for Directory Sync or SSO at an environment level on the Roles & Permissions page in the WorkOS Dashboard.

Role assignment in Admin Portal dialog

For your customers that may have a different setup, you can override the role assignment in Admin Portal setting per-organization, on the Roles tab of the organization page in the WorkOS Dashboard. For example, if most customers use Directory Sync but a few only use SSO, select “Directory groups” role assignment at the environment level, and select “Single Sign-On groups” at the organization level for the exceptions.

© WorkOS, Inc.
FeaturesAuthKitSingle Sign-OnDirectory SyncAdmin PortalFine-Grained Authorization
DevelopersDocumentationChangelogAPI Status
ResourcesBlogPodcastPricingSecuritySupport
CompanyAboutCustomersCareersLegalPrivacy
© WorkOS, Inc.