Skip to main content

Membership Synchronization Configuration

This configuration controls how users are automatically added to or removed from groups based on attributes in their JWT token (retrieved from an OAuth service).

Structure

enabled (boolean)

Enables or disables group membership synchronization.

  • true: synchronization is active.
  • false: synchronization is turned off.

source (object)

Specifies the source and key used to extract the value for matching.

  • type: the type of source for the attribute:

    • "attribute" – a field in the JWT token's claims.
    • "authorities" – the token's list of authorities (e.g., roles).

  • attributeName: the name of the key in the selected source.

Example:

"source": {
  "type": "attribute",
  "attributeName": "idtyp"
}

In this case, the service will look for the idtyp field in the token's attributes.

groupTypes (array of integers)

Lists all group types that the user is allowed to belong to. This serves as a filter: if the user doesn't match any mapping, they will be removed from all groups of these types.

Example:

"groupTypes": [1, 2]

membershipMapping (array of objects)

A list of matching rules that determine which groups the user should be added to.

Each object contains:

  • value: the string to match against the attribute value.

  • operator (optional):

    • "equals" – the attribute must exactly match value (default if omitted).
    • "contains" – the attribute must contain value as a substring.

  • groups: an array of group IDs to assign the user to if the rule matches.

Example Rule:

{
  "value": "Software Developer",
  "operator": "contains",
  "groups": [277]
}

If the attribute value is "Senior Software Developer", this rule matches because "Software Developer" is a substring.

Matching Logic

  • If a user matches multiple entries in membershipMapping, they will be added to all specified groups across all matched rules.
  • The user will be removed from any group matching groupTypes that is not listed in any of the matched rules.

Full Example

"membershipSynchronization": {
  "enabled": true,
  "membershipAttributesMapping": {
	"source": {
		"type": "attribute",
		"attributeName": "idtyp"
	},
	"groupTypes": [1, 2],
	"membershipMapping": [
		{
			"value": "user",
			"groups": [277]
		},
		{
			"value": "Software Developer",
			"operator": "contains",
			"groups": [277]
		},
		{
			"value": "Senior Software Developer",
			"operator": "equals",
			"groups": [277]
		}
	]
	}
}