Group Synchronization

One-way synchronization of group memberships can be enabled upon user login. Group synchronization is a 1:1 mapping unless you enable mapping one IdP group name to multiple LogScale groups. Activate the ability to map to multiple groups with the feature flag OneToManyGroupSynchronization.

Group synchronization works as follows:

  • If multiple group mapping is not enabled, and the group name in LogScale is the same as the group name in that IDP, then users will be mapped to that group automatically. LogScale maps a group name to the first LogScale group in the organization which has a matching lookupName or displayName.

  • If multiple group mapping is enabled with OneToManyGroupSynchronization, LogScale will map a group name to all LogScale groups in the organization that have a matching lookupName or displayName.

    If a group has a lookupName, then lookupName is used for matching when doing group synchronization. If it does not have a lookupName, displayName is used instead. This means that if you try to synchronize with some external group named "A", and you have a group in LogScale with displayName="A" and lookupName="B", this will not match. Both names are not considered when matching; displayName is used as an alternate in case there is no lookupName.

    Enabling OneToManyGroupSynchronization for a single organization fails if there are any groups within the organization that either have identical lookup names or have display names that are identical to another group's lookupName. This is to make sure that users are aware that enabling the feature can result in users potentially getting assigned to additional groups. For information about how to enable OneToManyGroupSynchronization for a single organization, see enableFeatureForOrg() .

    Enabling OneToManyGroupSynchronization for the cluster performs the verification described above for all organizations on the cluster and the error message will state which organizations failed the validation and for which group names. For information about how to enable OneToManyGroupSynchronization for a cluster, see enableFeature()

    In case enabling fails the aforementioned validation, the user can either choose to modify their groups so there are no longer any duplicates, or they can call the GraphQL mutation to enable the feature with skipVerification set to true to allow duplicate groups.

In order to map a group name from an external system such as LDAP to a LogScale group specify a Mapping name in the External provider tab:

Group Synchronization

Figure 55. Group Synchronization


When a user who is a member of the above LDAP group logs in to LogScale, they will be a member of the LogScale group that defines the mapping. In the current version of LogScale a user will remain a member of the LogScale groups from the last login until they log in again with a new set of groups.

Note

Once a user's group membership has been synchronized in LogScale, deleting it in the LDAP external provider will not take effect in LogScale.

For specific instructions on how to setup group synchronization for the different authentication mechanisms go to the Configuring Security overview page and select a relevant entry.