SAML Handbook

4.3 Role Mapping

Role Mapping is created to assign roles to users based on their SAML attributes. Through this, the particular role will be applied to users once they meet the specified conditions when logging into WordPress via authentication.

This feature allows you to provide user capabilities based on their IdP attribute values.
Wordpress has 5 pre-defined roles :

  1. Administrator
  2. Editor
  3. Author
  4. Contributor
  5. Subscriber

You can also add your own Custom Roles by using the plugin – https://wordpress.org/plugins/miniorange-user-manager/. Your custom roles, if added any, will also be displayed in the role mapping section.
In the attribute mapping section, we have mapped GROUP in the Group/Role field.


Now you can use these GROUP values to configure role mapping.
Let’s say we an organisation “SCHOOL” and for that we have the following groups at the IDP side –

  1. Principle
  2. HODs
  3. Teachers
  4. Students
  5. Mentors
  6. Workers
  7. Backloggers
  8. Peon


We have assigned those groups to a particular role.
We can even assign multiple groups in a single role. As we have assigned Students and Workers group to Subscriber role.

Role Mapping has the following features:

  1. Do not auto create users if roles are not mapped.
    • If the admin wants to create the users at WordPress site only if they are mapped, then this feature can be enabled. This won’t allow users which are not mapped to access the site.
    • By enabling this feature, people not associated with any of the above groups will not be able to access the site.
  2. Do not assign role to unlisted users.
    • This feature doesn’t allow users which are not grouped to be assigned any role.
    • This feature can be used in the condition where suppose a new batch comes in the school and the students of that batch are not added in Students group. So, they won’t be assigned any role till they are added in the group and mapped.
  3. Do not update existing user’s roles.
    • This feature can be enabled if admin wants existing user’s given role should not be changed.     
    • Now we have a scenario where a Teacher gets upgraded to HOD, but since the Teacher was the editor and admin does not want to change the role of Teacher from editor to author(since HOD’s are author). This feature can be used.
  4. Do not allow the users to login with particular roles.
    • If the admin want users of a particular role(s) to not log in to the site, this feature can be enabled by providing the group/role value.
    • This feature can be used where we have a group of students having backlogs. They have been assigned a group ‘Backloggers’ and the admin does not want those users to access the site.
  5. Option to select the default role to assign to users.
    • This feature is used to set a default role to users who are not mapped here. It will by default set the selected role. You can choose any of the role listed to be set as default.