This article describes three scenarios in which you can assign and manage Roles in Higher Logic Vanilla (Vanilla) if you're using Single Sign-On (SSO).
✔️ TIP: User management through Roles and their permissions is described in detail in Roles & Permissions.
Scenario 1: Roles managed in your IDP
In this scenario, the identity provider (IDP) is the authoritative source regarding which Roles your users should have.
- The IDP will pass Role-assignment data to Vanilla via SSO.
- Role-assignment changes should be done exclusively in the IDP, not in Vanilla.
- If you pass a Role that exists in Vanilla, that Role will be assigned to the user and any Roles that are assigned to the user, but which are not in our system, will be removed.
⚠️ IMPORTANT: If changes are made in Vanilla (such as a Role being assigned via the Dashboard), upon next login, the SSO will override those changes (because they were done in Vanilla, which is not the authoritative source) and replace the Role, as indicated in the IDP (the authoritative source).
✔️ TIP: This scenario is ideal if your IDP is set up to identify all Roles that are used in Vanilla (staff, Admin, Moderator) and any specialty Roles, such as beta access and MVP/superuser access.
Scenario 2: Roles managed in Vanilla
In this scenario, Vanilla is the authoritative source regarding which Roles your users should have. SSO simply authenticates the users and places them in whichever Role has ‘default type’ set to Member.
- Role management should be done exclusively in the Vanilla Dashboard; never in the IDP.
- Any users who are not basic members are identified and set in Vanilla (not in the IdP).
- SSO log-in activities will not result in any Role overrides or replacements.
- If you do not pass Roles, or pass Roles that don't exist in our system, the default Member Role will be assigned the first time the user connects. Then, you can manually assign any other Roles to the user (via the Dashboard) and they will remain assigned to the user whenever the user logs in.
- In other words, if you are passing Roles that do not exist in Vanilla, it is as though you are not passing Roles at all.
✔️ TIP: This scenario is ideal if your IDP does not use Roles, or if a lot of users will have a Role in Vanilla that does not exist in your IDP.
Scenario 3: Roles managed in Vanilla AND your IDP
In this scenario, like scenario 1, the identity provider (IDP) is the authoritative source regarding which Roles your users should have, and passes that data to Vanilla via SSO — but with a few differences.
📝 NOTE: The Role-management considerations and change-overrides behaviours that are detailed for scenario 1 are applicable in this scenario, too.
This scenario is relevant if your Vanilla community requires a handful of users to have a special Role in Vanilla, but that Role does not exist in Vanilla and it cannot be set up via an SSO connection (e.g., Community Admin). In this case, we can identify that handful of users in Vanilla and side-step the practice of Roles being overwritten by the SSO connection.
There is a configuration setting that allows you to manage some Roles from the IDP and some from the Dashboard: roleSync, which is described in below.
Manage Roles with roleSync
📝 NOTE: This is an atypical scenario that requires the assistance of Vanilla staff. If you want this enabled in your community, contact your implementation PM or Vanilla Support.
Add the following setting to your Roles.
By adding this setting, you are telling our system that:
- Roles passed via SSO should be added to the existing list of Roles and
- existing Roles should not be removed.
📝 NOTE: Roles that are passed via SSO will only be added in your Vanilla community; they will not be removed, even if you revoke that Role on your IDP.
Add/Remove toggle for SSO
When you add roleSync to the configuration, a new toggle displays on the Edit Role page in the Dashboard (select a Role and click the pencil icon) for all Roles:
By default, this is toggled OFF.
- If you want a Role to be managed (added/removed) by your IDP (i.e., via SSO connections) toggle this ON.
⚠️ IMPORTANT: This affects only this Role; the management of other Roles is not impacted or changed in any way.
Manually apply a Rank to give Role-like permissions
To give a user the privileges of a specific Role that cannot be passed over SSO, we cannot simply give them the Role in Vanilla because, upon their next login, the SSO handshake will update the Roles to match the IdP’s "record of truth." This means removing any Roles that are not passed over SSO.
- To get around this issue, we can manually apply a Rank. Unlike Roles, Ranks are not usually passed as part of the SSO handshake, and therefore are not updated/overwritten by the SSO handshake.
- Manually applying a Rank is a good solution when users need to be given Role-like privileges without giving them a Role.
Steps
1. Create the Role and set its permissions (for help, see Roles & Permissions or contact your CSM).
2. Create a corresponding Rank (for help, see Ranks or contact your CSM).
IMPORTANT NOTES ABOUT CREATING THE MANUALLY APPLIED 'ADMIN' RANK:
- A user is given the highest possible Rank they qualify for, so ensure that the level of the manual Rank is higher than any points-based Ranks.
- Ensure the criteria is ONLY enable applying manually.
- Ensure the ability Role Permissions: Users with this rank will gain the permissions of this Role is set to the desired Role.
When complete, it should look something like this:
3. Lastly, give the user this Rank via either their profile or the Dashboard. Let's walk through both.
Profile
- Access the user's profile.
- If not there already, click Edit Profile from the right panel.
- Select the Rank from the Rank dropdown.
- Click Save to apply the change.
Dashboard
- Access the Dashboard.
- Navigate to Moderation > Site > Users.
- Locate the user in the list, and click the pencil icon (edit).
- Select the Rank from the Rank dropdown.
- Click Save to apply the change.
For more information about Ranks, check out:
