[OPTIONAL] How to Divide Users into Groups and Assign Them Sublicenses
Last updated
Last updated
© 2024 Parallels International GmbH. All rights reserved.
By default, the integration process between Parallels My Account and your identity provider, described in this chapter, implies that all users of Parallels Desktop for Mac in your company will end up in one user group.
However, as explained in this chapter, it may be beneficial to spread your end users across multiple groups, depending on their departments or functions within the company. This will enable administrators to set their own restrictions for each individual group of users, as described in this chapter of the Parallels Management Portal section of this guide.
The goal of this chapter is to explain the intricacies of the grouping process and prevent potential activation or policy application issues.
For the purposes of this guide, the most important term on your IdP's side is a unique group identifier, which, depending on your IdP, can also be known as UUID, Object ID, or group name. Another important term is a SAML token: a file which contains information about a user and is sent by IdP to the service provider (in this case, Parallels) during the SSO authentication process. The individual meaningful pieces of information in SAML tokens are called claims.
What binds these three terms together is that certain claims in SAML tokens contain group identifiers, allowing Parallels service to see what groups the authenticating user is included in on the IdP side.
Note: If you follow the default SSO integration procedure described in the previous chapters, your Parallels application SAML token will only contain claims with the group identifiers of the two manually populated default groups assigned to the Parallels Desktop for Mac app, i.e. Administrators and Parallels Desktop Users, and not any other existing groups that an employee may be part of.
Some IdPs allow administrators to create hierarchical user group structures to better reflect the organizational structure of the company, e.g., a "Product" group that would include subgroups like "Engineers", "Designers", "QA", etc. In this case, a member of the "Engineers" subgroup would have at least two group identifiers in their SSO claim: one for the "Product" group, and one for the "Engineers" subgroup.
Note: While a SAML token may contain claims with specific group identifiers, it will not contain information on the hierarchical relationships between those groups. E.g., if a user is a member of Group 1.1, a subset of Group 1, their SAML token will simply contain group identifiers for both groups.
With the above information in mind, your overall process to divide the Parallels Desktop for Mac users in your organization into individually managed groups should include the following steps:
Consider which existing groups of users may need which specific policies and restrictions. Read this chapter carefully.
Amend the settings of the Parallels Desktop application on your IdP side, so that the SAML token exchanged during the SSO authentication process includes the group identifiers for all the groups a user is part of. In Microsoft Azure/Entra ID, do it by following this path Home → AD → Enterprise applications → Select Application → Single sign-on → 2. Attributes & Claims -> Edit and changing the Group Claims setting from Groups assigned to the application to All groups.
Once you make this change, the Parallels service will receive information about all user groups a given user is a member of on a SSO sign-on attempt, and will deduct the seat from a specific license key accordingly.
To benefit from tailored policies and license key quotas, create sublicense keys as directed in this chapter. To map a user group on the IdP side with a specific sublicense key, take this group's group identifier and add it to the selected key in Parallels My Account. In the case of Microsoft Azure/Entra ID, the group identifiers can be found by following this path: Home -> Microsoft Entra ID (former AD) -> Enterprise Applications -> Select Application -> Users and groups -> Select Group -> Object ID. To paste the value in Parallels My Account, linking the group to a specific sub-license key, open Parallels My Account and follow this path: Find the Parallels Desktop for Mac Enterprise Edition product card -> Click on the Subscription Expires line -> scroll down to the License Keys section. Click the cogwheel symbol to open that sublicense key's card and switch to the User Groups tab. Click Add Group and paste the group's name and UUID (Object ID) in the respective fields. Note that in the case of Okta, the user group UUIDs are the same as the group names, as described in the respective subchapter.
Once you have added all the groups you want, click Save.
Now, your users can activate their copies of Parallels Desktop for Mac using their groups' assigned quotas, and you can apply group policies as you see fit.
Plan the user allocation. Think about how many users from each affected group may need to activate and use Parallels Desktop for Mac, which of them will require guaranteed service (reserved sublicense keys) and which will be better off on the first come, first served basis (dynamic sublicense keys). Read more about the difference .
