&Open

The &amp;Open platform can automatically assign users to the correct team. This is done during login and ensures that users are immediately assigned to the correct team.

The platform extracts the <code>groups</code> attribute from the SAML response

Each group identifier is matched (case-insensitive) against the SSO Identifiers configured on teams

The user is assigned to the first matching enabled team

If no match is found, the user is assigned to the default team

1. The platform extracts the <code>groups</code> attribute from the SAML response
2. Each group identifier is matched (case-insensitive) against the SSO Identifiers configured on teams
3. The user is assigned to the first matching enabled team
4. If no match is found, the user is assigned to the default team

Note: Users who already have a team assigned will not be reassigned on subsequent logins.

Admin → Teams (<code>/admin/teams</code>)

Each team has an SSO Identifiers field where you can enter a comma-separated list of SSO group names.

In the SSO Identifiers field, enter the group identifier(s) that should map to this team

Use commas to separate multiple identifiers (e.g., <code>engineering, platform-team, devops</code>)

1. Navigate to Admin → Teams
2. Click on the team you want to configure
3. In the SSO Identifiers field, enter the group identifier(s) that should map to this team
4. Use commas to separate multiple identifiers (e.g., <code>engineering, platform-team, devops</code>)
5. Save the team

Note: The SSO Identifiers field only appears when SAML is enabled for the tenant.

The IdP must be configured to send a <code>groups</code> attribute in the SAML response containing the user's group memberships.

&lt;saml:Attribute Name="groups"&gt;   &lt;saml:AttributeValue&gt;engineering&lt;/saml:AttributeValue&gt;   &lt;saml:AttributeValue&gt;platform-team&lt;/saml:AttributeValue&gt; &lt;/saml:Attribute&gt;

The exact group identifier values that their IdP sends in the SAML response

- The exact group identifier values that their IdP sends in the SAML response
- Which team should each group map to

Scenario: A company has three teams and wants to map SSO groups to them.

When a user logs in with groups <code>["eng-team", "developers"]</code>, they will be assigned to the Engineering team.

Single team assignment: Users can only belong to one team; if they match multiple, only the first match is used

IdP configuration required: The IdP must be configured to send the <code>groups</code> attribute

Exact value matching: The SSO identifier must exactly match what the IdP sends (after lowercasing)

- Single team assignment: Users can only belong to one team; if they match multiple, only the first match is used
- IdP configuration required: The IdP must be configured to send the <code>groups</code> attribute
- Exact value matching: The SSO identifier must exactly match what the IdP sends (after lowercasing)

Learn how to automatically assign users to teams when using single sign on (SSO) with the &Open platform

Mapping users to teams with single sign-on

The world's first customer happiness platform

Log In to &Open

Find answers and get help from Intercom Support and Community Experts

This site employs cookies and other technologies that we and our third party vendors use to monitor and record personal information about you and your interactions with the site (including content viewed, cursor movements, screen recordings, and chat contents) for the purposes described in our Cookie Policy. By continuing to visit our site, you agree to our {websiteTermsLink}, {privacyPolicyLink} and {cookiePolicyLink}.

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

We use cookies to make our site work and also for analytics and advertising purposes. You can enable or disable optional cookies as desired. See our {cookiePolicyLink} for more details.

Advertising cookies are set by our advertising partners to collect information about your use of the site, our communications, and other online services over time and with different browsers and devices. They use this information to show you ads online that they think will interest you and measure the ads' performance. Social media cookies are set by social media platforms to enable you to share content on those platforms, and are capable of tracking information about your activity across other online services for use as described in their privacy policies.

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

These cookies are necessary for the website to function and cannot be switched off in our systems.

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

You have the right to opt out of the sale of your personal information. See our {cookiePolicyLink} for more details about how we use your data.

Your Privacy Choices

We use cookies to enhance your experience. You can customize your cookie preferences below. See our {cookiePolicyLink} for more details.

Cookie Settings

Link, Press control-option-right-arrow to exit

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

Behavior	Description
Case-insensitive	`Marketing_Team` will match `marketing_team`
First match wins	If a user belongs to multiple groups matching different teams, the first match is used
Enabled teams only	Disabled teams are ignored during matching
New users only	Users with an existing team assignment are not reassigned
Default fallback	Users with no matching groups go to the default team

Team Name	SSO Identifiers
Marketing	`mkt-team, marketing`
Engineering	`eng-team, developers, engineering`
Sales	`sales-team, sales`

Issue	Possible Cause
User assigned to wrong team	Check if their groups match multiple teams; first match wins
User assigned to default team	The groups from their IdP don't match any configured SSO identifiers
SSO Identifiers field not visible	SAML is not enabled for this tenant
User's team not updating	Users with existing team assignments are not reassigned

Mapping users to teams with single sign-on

How It Works

Where to Configure

Steps

Matching Behavior

Requirements

From the Identity Provider (IdP)

From the Client

Example

Limitations

Troubleshooting