SAML SSO and role-based access control

Question

Hi,

We're trying to integrate an application that does "standard SAML 2" with Azure AD SSO, and we need to implement role-based access control. I'm on the application side, with no access to the Azure AD administration (which is handled by a consultant for our customer).

Looking at the online docs, we're in this situation: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-enterprise-app-role-management

The consultant tells me that steps 8–10 of the “Create roles for an application” section are obsolete, and that roles cannot be sent in the SAML response, pointing me at https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization#restricted-claims as a proof.

I cannot believe that Microsoft would have made such a switch, requiring applications to call Azure-specific APIs (MS Graph API, if I understood correctly) to retrieve the user's roles.

So, can anyone confirm to me that "standard SAML" cannot be used for role-based access control (passing the app roles as a SAML claim in the response), and that it requires Azure-specific integration through additional calls to the MS Graph API ?

Fwiw, I first posted to Twitter, and was asked to post here instead: https://twitter.com/tbroyer/status/1032207267381301248

Answer 1

You can use the Azure RBAC check it our here:

https://docs.microsoft.com/en-us/azure/security/azure-security-identity-management-best-practices

Check the built in roles in azure

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Answer 2

Unless I misunderstand what Azure RBAC is about, this is not what I'm asking. Our webapp gives users access to different features depending on their roles (role-based access control), so we need Azure AD to send the application roles of the user to the webapp during the SAML authentication process. This is not about getting access to the webapp as a whole or not (blocked on Azure AD side).