Articles on: Schools & enterprise plans

SAML single sign-on: user groups, group mapping, and teacher mapping

SAML single sign-on: user groups, group mapping, and teacher mapping


Once SAML single sign-on is connected, the next step is deciding what each person can do once they're inside SimplyPrint. This guide explains how the groups your identity provider (IdP) sends become SimplyPrint user groups and permissions, and (for schools) how users are automatically marked as teachers.


SAML single sign-on is part of the School and Enterprise plans. If you used SSO on a Print Farm plan before it moved to Enterprise, your access is kept.


This article assumes SSO is already connected. If you haven't set that up yet, start with Set up Single sign-on (SSO) for SimplyPrint or the guide for your provider: Google Workspace, Microsoft Entra ID, Auth0, or Federation (InCommon, eduGAIN, WAYF).


What you'll find here

  • The two halves of group mapping
  • Setting up group mapping on your user groups
  • The rules that decide which group a user lands in
  • Teacher mapping (schools)
  • Seeing exactly what your IdP sends
  • How it all comes together at login


The cloud and key icon

Throughout the panel, a blue cloud icon with a key through it marks anything tied to single sign-on. Wherever you see "SAML single-sign-on:" next to a field - on a user group, or in your school settings - that field controls how SSO assigns people once they log in. Those fields are the subject of this guide.


Group mapping has two halves

Mapping IdP groups to SimplyPrint access takes two settings that work together:


  1. The attribute - in your SAML configuration, you tell SimplyPrint which IdP attribute carries a user's group membership.
  2. The mapping - on each SimplyPrint user group, you list which of those IdP groups belong to it.


You set up the first one when you connect your IdP; the second is what most of this guide covers.


1. Map the User Group attribute

In Settings → Organisation settings → User registration → Edit SAML configuration, scroll to Attribute mapping. In the User group row, enter the IdP attribute that lists the groups a user belongs to (often something like groups, memberOf, or department).


This tells SimplyPrint where to read the user's groups from. On its own it doesn't grant any access - it just makes the group values available for the next step.


Schools can also map School: Is teacher and School: Classes in this same table. Those feed teacher mapping and class assignment, covered below.


2. Map IdP groups to a SimplyPrint user group

This is where IdP groups turn into real permissions.


  1. Go to Settings → Organisation settings → User groups and open a group (or create one).
  2. Find the SAML single-sign-on: Group mapping field (it shows the blue cloud + key icon, and is optional).
  3. Enter the IdP group name(s) or ID(s) that should land in this SimplyPrint group - one per line.


When a user logs in, SimplyPrint compares the groups it received against these lists and places the user in the matching SimplyPrint group, giving them that group's permissions. Repeat for each group you want SSO to fill automatically.


Whether you enter group names or IDs depends on what your IdP sends - most send names. Use the "Last received attributes" panel (below) to see the exact values arriving, then paste them in so they match character for character.


The rules that decide a user's group

A few behaviours are worth knowing, because they explain most "why is this user in the wrong group?" questions:


Each user can only be in one SimplyPrint user group. If a user matches more than one group, SimplyPrint picks the highest group in your hierarchy (the one with the most permissions). Order your groups so the most privileged is at the top.


  • Manual changes are respected. If you (or another admin) manually move a user to a different group inside SimplyPrint, later SSO logins will not override that choice. Automatic mapping only applies to users whose group was set by SSO in the first place.
  • It re-runs on every login. Change a user's groups in your IdP and the new group takes effect the next time they sign in - no need to touch SimplyPrint.
  • No match means no change. If none of a user's IdP groups match any mapping, SimplyPrint leaves their group as-is (the default group for new users).


Teacher mapping (schools)

School plans get two extra settings under Settings → Organisation settings → School settings, which appear once SSO is enabled. Both are marked with the cloud + key icon.


Mark SSO user as a teacher when in SSO group(s)

Enter the IdP group ID(s) that should make someone a teacher - one per line. Anyone who arrives in one of those groups is marked as a teacher. This applies on SSO logins as well as on automatic and manual class imports.


There are two ways a user becomes a teacher:

  • Your IdP sends a School: Is teacher attribute (mapped in attribute mapping) with a true/yes value, or
  • The user is a member of one of the groups listed in this setting.


Put teachers in specific user group

Pick a SimplyPrint user group here, and anyone identified as a teacher is automatically placed in it - giving teachers elevated permissions without mapping their IdP groups one by one.


This teacher group takes priority. If a user is a teacher and you've chosen a teacher group here, they go into that group regardless of the regular group mapping above. Leave it on "No specific group / default group" if you'd rather route teachers purely through group mapping.


Seeing what your IdP actually sends

Group and teacher mapping only work if the values you enter match what your IdP sends exactly. To check, open the SAML configuration window and expand Last received attributes (debug). It shows the attributes from the most recent login attempt (with email addresses masked), so you can copy the exact group names or IDs into your mappings.


If mapping isn't behaving, this panel is the first place to look - most issues come down to a group name not matching, or the User group attribute not being mapped at all. For a deeper walkthrough of attribute problems, see SSO troubleshooting: how to fix errors like "first_name not set".


How it all comes together at login

When a user signs in through SAML, SimplyPrint does this in order:


  1. Reads the attributes your IdP sent and matches them to your attribute mapping.
  2. Creates the user (first login) or updates their name and email.
  3. Schools: assigns the user to their school classes and decides whether they're a teacher.
  4. Places the user in a SimplyPrint user group:
  • If they're a teacher and you've set a teacher group, they go there.
  • Otherwise, the first matching group (highest in your hierarchy) from group mapping is applied.
  • If their group was set manually in SimplyPrint, it's left untouched.


The user lands in SimplyPrint with the right name, group, and permissions - no manual setup per person.


Quick troubleshooting

  • Nobody is being placed in a group: make sure the User group row is filled in under attribute mapping, and that the group names in your user groups match what the debug panel shows.
  • A user is in the wrong group: check your hierarchy order (highest match wins) and confirm their group wasn't changed manually, which freezes it.
  • Teachers aren't being marked: confirm either the School: Is teacher attribute is mapped, or the user's group is listed in Mark SSO user as a teacher when in SSO group(s).



Updated on: 05/06/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!