One-way synchronization of group memberships can be enabled upon user login. Group synchronization is a 1:1 mapping; multiple groups mapping to the same external mapping name is not supported.

When group membership is enabled for the IdP used with LogScale, if the group name in LogScale is the same as the group name in that IDP, then users will be mapped to that group automatically. LogScale maps a group name to the first LogScale group in the organization which has a matching lookupName or displayName.

If a group has a lookupName, then lookupName is used for matching when doing group synchronization. If it does not have a lookupName, displayName is used instead. This means that if you try to synchronize with some external group named "A", and you have a group in LogScale with displayName="A" and lookupName="B", this will not match. Both names are not considered when matching; displayName is used as an alternate in case there is no lookupName.

In order to map a group name from an external system such as LDAP to a LogScale group specify a Mapping name in the External provider tab:

Figure 79. Group Synchronization

When a user who is a member of the above LDAP group logs in to LogScale, they will be a member of the LogScale group that defines the mapping. In the current version of LogScale a user will remain a member of the LogScale groups from the last login until they log in again with a new set of groups.

For specific instructions on how to setup group synchronization for the different authentication mechanisms go to the Configuring Security overview page and select a relevant entry.