Skip to main content
Question

Claim Type for Role Mapping Rules

  • June 18, 2025
  • 1 reply
  • 83 views
M
Freshman I

Hello,

I am currently using Duo and OpenID for user authentication into Acumatica. We are looking to go a step further and set up the User Creation Rules and Role Mapping Rules within Acumatica to help streamline user setup, onboarding, permissions, etc.

Within the Role Mapping Rules section, there is a text box for “Claim Type” as well as Scope. Within Duo, we have the scope created, as well as Claims. However, there is nothing within the Duo OIDC application that mentions “Claim Type”.

I’ve attempted to use sub and oid in that text box, as those are the only options for claim type for the user identity with Acumatica, but neither one work correctly in this case. Duo support doesn’t have anything documented on their end for “Claim Type” as well, so they couldn’t help me further.

For my test user case, I am using an existing Acumatica user account and have checked the option for the account to Use Roles from Provider Settings.

I’m crossing my fingers, hoping that someone using Duo has the Role Mapping Rules setup and working!

    1 reply

    CherryStreet
    Jr Varsity I
    Forum|alt.badge.img
    • CherryStreet
    • Jr Varsity I
    • June 19, 2025

    I ran your scenario through our AI Assistant, let me know if it works out for you.

    I’ll walk you through the configuration of Role Mapping Rules and User Creation Rules in Acumatica when using OpenID Connect (OIDC) authentication, with Duo as the identity provider. You’re encountering confusion around the “Claim Type” field — a common sticking point when integrating with non-Microsoft OIDC providers like Duo.

     

    1. Prerequisites 🔐

    • Role: System Administrator
    • Configured OIDC Identity Provider under External Applications
    • Working OpenID Connect login with Duo (users can sign in)
     

    2. Navigation 🗺️

    • External Identity Provider Configuration
      Path: System Integration Connected Applications (SM301000)
    • User Management and Role Mapping
      Path: System Access External Identity Provider Settings (SM302070)
     

    3. Detailed Steps 🚀

    Step 1: Review Duo Claims

    In Duo’s OIDC configuration, your focus is on standard OIDC claims (like sub, email, name, groups, etc.). Acumatica uses these claim types to assign users and map them to internal roles.

    Step 2: Define Role Mapping Rule in Acumatica

    1. Go to External Identity Provider Settings (SM302070).
    2. Open your OIDC provider configuration (e.g., DuoOIDC).
    3. Scroll to the Role Mapping Rules tab.
    4. Add a new row:
      • Claim Type: This must match the exact key name used in the OIDC token.
        Example: If Duo includes groups or roles, that’s what goes here — not sub or oid.
      • Claim Value: The value that corresponds to the role.
        Example: FinanceUsers or AcumaticaAdmins
      • Mapped Role: Choose the internal Acumatica role you want this to apply to.

    Example:

    Claim Type: groups

    Claim Value: AcumaticaFinance

    Mapped Role: Finance Role (or custom)

    ❗ sub and oid are generally unique identifiers, not role indicators — so they won’t work for role mapping.

    Step 3: Inspect the Claims Sent by Duo

    Since Duo doesn’t document its OIDC claims in detail, you must inspect a real login token to see the actual claim names.

    Options:

    • Use a browser extension like JWT.io Debugger or Fiddler to capture the ID token.
    • Look for arrays like "groups": [...] or "roles": [...].

    Only use as Claim Type whatever exact key appears in that token for role-type values.

    Step 4: Enable Role Usage from Provider

    1. Go to Users (SM201010).
    2. Open the user account.
    3. Check Use Roles from Provider Settings.

    This ensures Acumatica maps roles from the OIDC provider based on the rules defined.

     

    4. Expected Results 👀

    • Upon successful login via Duo OIDC:
      • The user account is updated or created.
      • Roles are assigned based on the matching Claim Type and Claim Value.
      • Acumatica assigns only the roles listed in the mapping, overriding manual roles if "Use Roles from Provider Settings" is enabled.
     

    5. Helpful Next Steps ➡️

    • Capture a live Duo OIDC token to verify claim structure.
    • Add additional Role Mapping Rules for other teams or permissions.
     

    6. ERP Pro Tips 💡

    💡 Tip for System Admins: If a claim (e.g., groups) includes multiple values (e.g., "groups": ["Finance", "Sales", "HR"]), you can set up one rule per value in Acumatica — each with the same Claim Type but different Claim Values.

     

    7. Alternative Methods 🪄

    • If Duo’s claims can’t be customized or extended:
      • Use SCIM provisioning (if supported) or
      • Pre-create users manually and assign roles within Acumatica, skipping OIDC role mapping.
     
    From your friends at Cherry Street Consulting https://cherrystconsulting.com/
    Terms & ConditionsCookie settingsAccessibility statement
    About Acumatica ERP system
    Acumatica Cloud ERP provides the best business management solution for transforming your company to thrive in the new digital economy. Built on a future-proof platform with open architecture for rapid integrations, scalability, and ease of use, Acumatica delivers unparalleled value to small and midmarket organizations. Connected Business. Delivered.
    © 2008 — 2024  Acumatica, Inc. All rights reserved