none
How to get the group information of a user in SAML token

    Question

  • I have a setup with Azure as IDP and Weblogic as SP. 
    I am able to get the user information in the SAML token and SSO is successful, However, I am not able to get the group this user belongs to (as a SAML attribute) in <g class="gr_ gr_20 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="20" id="20">token</g>. 

    Looks like "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" is a restricted claim : 

    https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization 

    So how do I get the group information of a user in SAML token?
    • Edited by streethawkz Tuesday, February 12, 2019 12:08 PM
    Tuesday, February 12, 2019 8:08 AM

All replies

  • To view the groups as claims in the assertions, you need to enable it in the app. http://rickrainey.com/2015/02/13/using-group-claims-in-azure-active-directory/

    In the manifest, change the groupMembershipClaims property (which will be set to null) to SecurityGroup and then save the changes.

    If you are using the new Azure AD integration you may not be able to edit the manifest and there is no good workaround just yet. 

    Tuesday, February 12, 2019 7:35 PM
    Moderator
  • Please let us know if you find above reply useful. If yes, do click on 'Mark as answer' link in above reply. This will help other community members facing similar query to refer to this solution. Thanks.
    Thursday, February 21, 2019 12:02 AM
    Moderator
  • Thanks for the reply.

    I am not using JWT for SSO. I am configuring Azure as SAML IDP.

    I have created an enterprise application from Azure portal.

    I <g class="gr_ gr_20 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="20" id="20">dont</g> see the manifest option.

    How do I enable groupMembershipClaim here?


    7 hours 56 minutes ago
  • Hello,

    This should work for SAML as well. You can search for your application under Azure Active Directory > App registrations and then you can access the manifest as per the screenshot. You can replace null with "SecurityGroup" or "All".

    Security Group returns only Security Groups and All returns both security groups and distribution lists.

    chrome_2017-10-12_13-28-03

    5 hours 15 minutes ago
    Moderator