Qualtrics SAML User Type mapping fails when multiple group values are present

Question

I’m configuring SAML-based SSO in Qualtrics and have run into unexpected behavior around User Type Field mappings when a user belongs to more than one group.

What works

SAML authentication is functioning correctly in a proof-of-concept.
I can successfully log in as a Brand Administrator.
In Qualtrics, User Type Field is mapped to the SAML attribute groups.
I have User Type validation enabled, so only explicitly mapped values are accepted.
A single group value (e.g. brand-admins) is mapped to the Brand Administrator role and works as expected.

SAML assertion details

When a user belongs to only one group, the SAML assertion contains a single value and authentication succeeds.

When the user belongs to more than one group, the assertion looks like this (simplified):


<saml2:Attribute Name="groups"
                 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml2:AttributeValue xsi:type="xs:string">brand-admins</saml2:AttributeValue>
  <saml2:AttributeValue xsi:type="xs:string">another-group</saml2:AttributeValue>
</saml2:Attribute>

Using a SAML tracer during login, Qualtrics appears to treat the groups attribute value as:

brand-admins::another-group

The problem

With multiple group memberships:

Login fails, even though brand-admins is a valid and explicitly mapped value.
Qualtrics does not appear to evaluate individual AttributeValues independently.

As an experiment:

I created a new User Type mapping using the literal value
brand-admins::another-group
This does grant access (to that experimental role), which suggests Qualtrics is performing an exact-string match against the concatenated value.

What’s confusing

Qualtrics allows User Type mappings to be re-ordered, which suggests some form of priority or first-match logic. My assumption was that a high-privilege group (e.g. brand-admins) could be placed at the top so that if a user belongs to multiple groups, the most privileged role would be selected first.

However, based on the observed behavior, it looks like:

Qualtrics treats multi-valued SAML attributes as a single, delimiter-joined string
No per-value evaluation or precedence is applied

Questions

Is this the intended behavior for multi-valued SAML attributes in Qualtrics User Type mapping?
Does Qualtrics support evaluating individual values within a multi-valued attribute like groups?
If not, what is the recommended approach?
- Restrict users to a single role-defining group?
- Transform the SAML assertion to emit a single role claim?
- Disable User Type validation?
What is the practical purpose of re-ordering User Type mappings if no precedence evaluation occurs?

Any insight into the expected design or best practices here would be appreciated.

Lpena · Answer

Dealing with multi-valued SAML attributes can definitely be a bit tricky because of how the system processes them. Basically, Qualtrics takes those multiple AttributeValue elements (like your 'groups') and concatenates them into one long string separated by "::" delimiters. It doesn't actually look at each value individually, which is why your logins might be failing if you don't have an exact strinng match for that entire combined value in your mappings.

Even though the documentation mentions that mappings are applied in order, that logic really only kicks in once a match is found against that, concatenated string. Re-ordering your mappings won't help the system "see" the individual values any better. Your best bet is to use regex-based mapping values—something like .*brand-admins.*—so the system can find the specific group within that combined string. Alternatively, you could tweak things on your IdP side to just send over a single attribute representing the highest level of access.

What works

SAML assertion details

The problem

What’s confusing

Questions

Sign up

Login to the Community

Scanning file for viruses.

This file cannot be downloaded