Question

Azure AD - Returning a Federated Group name in the SAML Token

Laserfiche Cloud

Updated July 20, 2022

asked on July 19, 2022

Anyone have Azure AD and know how to do this? We have a federated group and we want to return the group name in the SAML Token so that we can configure it in the Federated group identifier.

Right now we are having to use the Object Id instead of the group name and when creating a support ticket we were told to add the group name to the SAML Token.

https://doc.laserfiche.com/laserfiche.documentation/en-us/Default.htm#Federated%20Groups.htm?Highlight=federated

0 0

Replies

replied on July 19, 2022 • Show version history

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization

https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-claims-mapping-policy-type#table-2-saml-restricted-claim-set

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#configuring-groups-optional-claims

Microsoft's example screenshot:

I believe you want either Group ID or sAMAccountName formats under SAML Token Properties. No sure which offhand.

1 0

replied on July 20, 2022

This is the first I have looked at any of this, it sure is different than Active Directory. Here is where I am confused (as an outsider): I feel like it is impossible for IT to know what to do after reading what Microsoft states in these articles, which appear to be nothing more than options determined by the 3rd party vendor (Laserfiche).

It says here that by default Group ObjectIDs will be emitted in the group claim value. So wouldn't this explain why LF received the ObjectID unless some additional customization was applied?

Then it is impossible to know how to apply it because it goes on to say:

If you want groups in the token to contain the on premises AD group attributes in the optional claims section

Do we? How do we know?

, specify which token type optional claim should be applied to,

How would IT know which token type optional claims should be applied unless they are provided this information?

It seems that no IT department would know this, only the developer of the service connecting to this Microsoft service.

0 0

replied on July 19, 2022

For clarification, in the support case, it was explained that you should intercept the SAML token to review the attributes and values returned by the identity provider. We pointed out to you that the group attribute being returned was using the object ID as its values so to get things working in Laserfiche Cloud for your federated group setup, with the current Azure AD setup, you would need to use those same object ID values instead.

However, please refer to the material that Sam was able to find from the internet which seems to provide the information you're looking for about how to get Azure AD to send back the group name in the SAML token. Then you can update the federated group configuration in Laserfiche and switch back to using the group name (after confirming that the SAML token is actually using the group name now).

1 0

You are not allowed to follow up in this post.

Question

Question

Azure AD - Returning a Federated Group name in the SAML Token

Replies

Sign in to reply to this post.