SSO passing Group via Assertion
I am trying to pass the name of the Group to the SSO application. I found that I can use ${user:groups} and it passes the following:
<saml2:Attribute Name="memberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">ad.domain.int//S-1-2-34-984837712-606030259-670590003-12345</saml2:AttributeValue>;
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">ad.domain.int//S-1-2-34-984837712-606030259-670590003-12346</saml2:AttributeValue>;
</saml2:Attribute>
Is there a way to pass the name of the group or just the GUID (S-1-2-34...), I have run across some services that don't allow the use of // in their fields.
Hello,
Based on the shared information in the post, it looks like that you are using AD as identity source for AWS SSO.
Firstly, I would like to mention that the ${user:groups} is not officially endorsed and supported by AWS SSO.
Secondly, the currently supported attributes are mentioned below [1].
${user:AD_GUID}
${user:email}
${user:familyName}
${user:givenName}
${user:middleName}
${user:name}
${user:preferredUsername}
${user:subject}
Although, ${user:groups} not supported, ${user:groups} returns the GUUID but not the name itself. GUUID is the only possible value which can be returned right now as SSO does not support group level attributes.
A temporary workaround can be to retrieve the group name and then configure application attributes with that group name by string method itself, if that helps.
For example -
User Attribute in the application -> groups
Maps to this string value or use attribute in AWS SSO -> group-dev
Result -
<saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance " xsi:type="xsd:string">group-dev</saml2:AttributeValue>
</saml2:Attribute>
However, please note that since this attribute is not dynamic, the same value will be sent for all the users who will federate into that application. As such, it might not be very helpful. But you can use the above specified method if constant group value helps.
That said, please note that group name is not contained in any attribute as of now. Although, there is an existing feature request for support of group attribute for AWS SSO. I have gone ahead and added your voice to this feature request. While I am unable to comment on if/when this feature may get released, I request you to keep an eye on our What's New [2] and Blog [3] pages for any new feature announcements.
References:
Relevant questions
I am unable to customise my AWS SSO URL
asked 2 months agoSSO passing Group via Assertion
asked 2 months agoCan I change the password policy for the SSO identity store?
asked 2 months agoAWS SSO - what OU/account to use?
asked 2 months agoIs there a way to read the group name in a component or environment var?
asked a year agoForbbiden 403 access denied with AWS SSO SAML application from Gitlab integration
Accepted Answerasked 3 months agoAWS Service Catalog. Grant SSO Users to the Portfolio
asked 2 months agoCan I set a security group for each workspace that is launched?
asked 3 months agoThe Assertion of the Response is not encrypted and the SP require it
Accepted Answerasked 3 months agoUnable to map AWS SSO Attributes to SAML Assertion values
Accepted Answerasked 6 months ago