SSO passing Group via Assertion

0

I am trying to pass the name of the Group to the SSO application. I found that I can use ${user:groups} and it passes the following:

 <saml2:Attribute Name="memberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">ad.domain.int//S-1-2-34-984837712-606030259-670590003-12345</saml2:AttributeValue>;
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">ad.domain.int//S-1-2-34-984837712-606030259-670590003-12346</saml2:AttributeValue>;
   </saml2:Attribute>

Is there a way to pass the name of the group or just the GUID (S-1-2-34...), I have run across some services that don't allow the use of // in their fields.

질문됨 2년 전818회 조회
1개 답변
0

Hello,

Based on the shared information in the post, it looks like that you are using AD as identity source for AWS SSO.

Firstly, I would like to mention that the ${user:groups} is not officially endorsed and supported by AWS SSO.

Secondly, the currently supported attributes are mentioned below [1].

${user:AD_GUID}
${user:email}
${user:familyName}
${user:givenName}
${user:middleName}
${user:name}
${user:preferredUsername}
${user:subject}

Although, ${user:groups} not supported, ${user:groups} returns the GUUID but not the name itself. GUUID is the only possible value which can be returned right now as SSO does not support group level attributes.

A temporary workaround can be to retrieve the group name and then configure application attributes with that group name by string method itself, if that helps.

For example -

User Attribute in the application -> groups

Maps to this string value or use attribute in AWS SSO -> group-dev

Result -

<saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance " xsi:type="xsd:string">group-dev</saml2:AttributeValue>
</saml2:Attribute>

However, please note that since this attribute is not dynamic, the same value will be sent for all the users who will federate into that application. As such, it might not be very helpful. But you can use the above specified method if constant group value helps.

That said, please note that group name is not contained in any attribute as of now. Although, there is an existing feature request for support of group attribute for AWS SSO. I have gone ahead and added your voice to this feature request. While I am unable to comment on if/when this feature may get released, I request you to keep an eye on our What's New [2] and Blog [3] pages for any new feature announcements.

References:

[1] https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html#supportedssoattributes

[2] https://aws.amazon.com/new/

[3] https://aws.amazon.com/blogs/aws/

profile pictureAWS
지원 엔지니어
Yash_C
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠