SSO passing Group via Assertion

0

I am trying to pass the name of the Group to the SSO application. I found that I can use ${user:groups} and it passes the following:

 <saml2:Attribute Name="memberOf" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">ad.domain.int//S-1-2-34-984837712-606030259-670590003-12345</saml2:AttributeValue>;
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">ad.domain.int//S-1-2-34-984837712-606030259-670590003-12346</saml2:AttributeValue>;
   </saml2:Attribute>

Is there a way to pass the name of the group or just the GUID (S-1-2-34...), I have run across some services that don't allow the use of // in their fields.

已提问 2 年前832 查看次数
1 回答
0

Hello,

Based on the shared information in the post, it looks like that you are using AD as identity source for AWS SSO.

Firstly, I would like to mention that the ${user:groups} is not officially endorsed and supported by AWS SSO.

Secondly, the currently supported attributes are mentioned below [1].

${user:AD_GUID}
${user:email}
${user:familyName}
${user:givenName}
${user:middleName}
${user:name}
${user:preferredUsername}
${user:subject}

Although, ${user:groups} not supported, ${user:groups} returns the GUUID but not the name itself. GUUID is the only possible value which can be returned right now as SSO does not support group level attributes.

A temporary workaround can be to retrieve the group name and then configure application attributes with that group name by string method itself, if that helps.

For example -

User Attribute in the application -> groups

Maps to this string value or use attribute in AWS SSO -> group-dev

Result -

<saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance " xsi:type="xsd:string">group-dev</saml2:AttributeValue>
</saml2:Attribute>

However, please note that since this attribute is not dynamic, the same value will be sent for all the users who will federate into that application. As such, it might not be very helpful. But you can use the above specified method if constant group value helps.

That said, please note that group name is not contained in any attribute as of now. Although, there is an existing feature request for support of group attribute for AWS SSO. I have gone ahead and added your voice to this feature request. While I am unable to comment on if/when this feature may get released, I request you to keep an eye on our What's New [2] and Blog [3] pages for any new feature announcements.

References:

[1] https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html#supportedssoattributes

[2] https://aws.amazon.com/new/

[3] https://aws.amazon.com/blogs/aws/

profile pictureAWS
支持工程师
Yash_C
已回答 2 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则