- 最新
- 投票最多
- 评论最多
Hello,
Based on the shared information in the post, it looks like that you are using AD as identity source for AWS SSO.
Firstly, I would like to mention that the ${user:groups} is not officially endorsed and supported by AWS SSO.
Secondly, the currently supported attributes are mentioned below [1].
${user:AD_GUID}
${user:email}
${user:familyName}
${user:givenName}
${user:middleName}
${user:name}
${user:preferredUsername}
${user:subject}
Although, ${user:groups} not supported, ${user:groups} returns the GUUID but not the name itself. GUUID is the only possible value which can be returned right now as SSO does not support group level attributes.
A temporary workaround can be to retrieve the group name and then configure application attributes with that group name by string method itself, if that helps.
For example -
User Attribute in the application -> groups
Maps to this string value or use attribute in AWS SSO -> group-dev
Result -
<saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance " xsi:type="xsd:string">group-dev</saml2:AttributeValue>
</saml2:Attribute>
However, please note that since this attribute is not dynamic, the same value will be sent for all the users who will federate into that application. As such, it might not be very helpful. But you can use the above specified method if constant group value helps.
That said, please note that group name is not contained in any attribute as of now. Although, there is an existing feature request for support of group attribute for AWS SSO. I have gone ahead and added your voice to this feature request. While I am unable to comment on if/when this feature may get released, I request you to keep an eye on our What's New [2] and Blog [3] pages for any new feature announcements.
References:
