Welcome to the Panopto Community

Please note: All new registrants to the Panopto Community Forum must be approved by a forum moderator or admin. As such, if you navigate to a feature that is members-only, you may receive an error page if your registration has not yet been approved. We apologize for any inconvenience and are approving new members as quickly as possible.

How to set SAML Users into Groups

seongsu parkseongsu park Tyro
in API

Hi.

https://support.panopto.com/s/article/saml-groups

I followed the instructions above to configure the settings, but the user group isn't set up properly.

  1. Add the "GroupMembership" Attribute to the SAML response.
  2. Add the SAML value to the User Group.
    - External ID : SKU

<Saml Response>

….

                        <saml2:Attribute Name="GroupMembership" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

                            <saml2:AttributeValue

                                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">SKU

                            </saml2:AttributeValue>

                        </saml2:Attribute>

                    </saml2:AttributeStatement>

                </saml2:Assertion>

            </saml2p:Response>

Where else should I check?

Answers

  • Adis HrnjicaAdis Hrnjica Whiz Kid

    Hi seongsu,

    Thanks for sharing the details and the SAML snippet. Here are the main things to verify when the GroupMembership attribute is present but the user group still isn’t applied correctly.

    1. SAML attribute mappingIn Panopto Admin → Identity Providers → [your SAML provider] → SAML Attribute Mappings, confirm you have a mapping for group membership:

    • Field name: GroupMembership
    • SAML attribute name: must match exactly what your IdP sends (e.g. GroupMembership if that’s the attribute name in the response).

    If this mapping is missing or the SAML attribute name doesn’t match, Panopto won’t read the group values from the assertion.

    2. User group and External ID in Panopto

    • In Panopto Admin → Groups, the group must be linked to the same Identity Provider you use for SAML login.
    • The group’s External ID must match the value your IdP sends in the GroupMembership attribute (e.g. SKU in your case). Matching is case-insensitive, but the value must be the same (no extra spaces or characters).

    3. Group must exist before login (if you don’t auto-create groups)
    If the option to create new groups when users log in is disabled, the group (with the correct External ID and provider) must already exist in Panopto. If it doesn’t, Panopto will not add the user to that group.

    4. Enable detailed SAML logging (for troubleshooting)If it’s still not working, turn on Detailed SAML diagnostic logging in your Panopto site settings. After a test login, check the logs to confirm that:

    • The GroupMembership attribute is being read, and
    • The value (e.g. SKU) matches the External ID you set on the group.

    5. IdP configuration
    Confirm with your IdP admin that the GroupMembership attribute is sent in the SAML response for the user and that the value (e.g. SKU) is exactly what you configured as the group’s External ID in Panopto (no extra spaces or formatting).

    If you’ve checked all of the above and it still fails, please open a support case and include a redacted SAML response (or the attribute section) and a description of your GroupMembership mapping and group External ID so we can help narrow it down.

    I hope this helps.

    Thanks,

    Adis

Sign In or Register to comment.