From 1247c5fb339977c875969aa6f2671c1743221819 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adri=C3=A1n=20Pe=C3=B1a?= Date: Wed, 1 Jul 2026 15:48:46 +0200 Subject: [PATCH] docs: clarify SAML userType role mapping (#11759) --- docs/user-guide/tutorials/prowler-app-sso.mdx | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/user-guide/tutorials/prowler-app-sso.mdx b/docs/user-guide/tutorials/prowler-app-sso.mdx index 1e61ec1060..d016196214 100644 --- a/docs/user-guide/tutorials/prowler-app-sso.mdx +++ b/docs/user-guide/tutorials/prowler-app-sso.mdx @@ -98,6 +98,12 @@ Choose a Method: + **Single-Value `userType` Required** + + Map `userType` to an IdP attribute that always contains a single value. If the IdP sends multiple values, Prowler App uses only the first value and does not assign multiple roles or select the highest-privilege role. + + + **Dynamic Updates** Prowler App updates these attributes each time a user logs in. Any changes made in the Identity Provider (IdP) will be reflected when the user logs in again. @@ -154,6 +160,7 @@ Choose a Method: * If a role with the specified name already exists in Prowler App, the user automatically receives that role. * If the role does not exist, Prowler App creates a new role with that exact name with read-only access: the user can see all providers and their findings but cannot manage anything. A Prowler administrator (a user whose role includes the "Manage Account" permission) can adjust its permissions afterward through the [RBAC Management tab](/user-guide/tutorials/prowler-app-rbac). * If `userType` is not defined in the user's Okta profile, the user's existing roles in Prowler App are left unchanged. + * `userType` must contain a single value. If the IdP sends multiple values, Prowler App uses only the first value and does not assign multiple roles. **Example:** To assign the `IT` role to a user, set the `userType` value to `IT` in Okta. If a role named `IT` already exists in Prowler App, the user receives it automatically upon login. If it does not exist, Prowler App creates a new role called `IT` with read-only access, and a Prowler administrator can adjust its permissions as needed.