With non-IAM-based visitor authentication, the groups to be made available for use in custom visibility categories need to be set up in your identity provider (IdP) configuration where they can then be assigned to users. Note that for the Interface Builder, such group names are merely identifiers with configurable display texts, i.e. they don’t have any meaning. Also, the Web Interface Builder doesn’t take account of implicit group assignments (based on rules). As a consequence, such implicit assignments (like “all sales staff members are marketing members as well”) need to be made explicit. For obvious reasons, it is essential that group names are defined and used consistently.
As a user logs in to a Interface-Builder-based website, the IdP generates an OAuth ID token that the Interface Builder uses to identify the user. If groups have been set up, the ID token includes a groups
claim indicating to the Interface Builder the groups that have been assigned to the user. By means of those groups, the Interface Builder can then determine the visibility categories applicable to the user, and grant or deny them access to protected content.
The structure of an ID token containing a groups
claim looks like this: