Oct 13 2020
11:14 PM
- last edited on
Jan 14 2022
04:01 PM
by
TechCommunityAP
Oct 13 2020
11:14 PM
- last edited on
Jan 14 2022
04:01 PM
by
TechCommunityAP
We recently implemented a model in which our users can create Office 365 groups, which then can be used in all our SAML-connected third-party cloud applications to grant access to resources withing the cloud app.
The way this works is that is this:
As an example, a SAML token for user Jon Doe would look like this:
We planned to move to Azure SAML, but I learned that Azure does not support adding the group CN or SamAccountName to the token, but only the objectId.
All of our cloud apps only support adding groups by Name. This seems to be the de-facto standard. It is not possible in the cloud apps to create groups with an ID and a canonical name. Consequently, the admins would need to know the objectId of the groups and the users would only be able to assign permissions on "cryptic" objectIds.
That is not user friendly and blocks us from moving our SAML authentication to Azure.
Can you recommend a way that enables to migrate to Azure while keeping group names (CN/SamAccountName) in the SAML token?
Oct 15 2020 09:30 AM
@Daniel Niccoli - Use app roles. These are human readable, no group IDs and token bloat
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
Oct 19 2020 05:50 AM
@LM That's not feasible. Users are creating new groups on a weekly basis. We need something that works out of the box and is scalable.
Oct 20 2020 06:16 AM
So you are ADFS as the IDP for these clouds apps or Azure AD? Also have you investigated claims mapping.... I'm very rusty on it but I vaguely remember being able to use it to make Azure AD supply group names in the token...
Although I suspect app roles are the longer term approach
Oct 20 2020 08:04 AM
Optional claims are only supported for groups synced from AD.
so, your options are to use groups syned from AD instaed of O365 groups or use app roles
See the link below
Oct 20 2020 08:04 AM
Optional claims are only supported for groups synced from AD.
so, your options are to use groups synced from AD instead of O365 groups or use app roles
See the link below
Oct 20 2020 09:28 AM