How to Send Groups Within a Claim for SAML SSO
Your want to send Groups as a SAML claim for Single Sign-On.
Use either the 'Groups (CommonName Only)' or 'Groups(As SIDs)' value type in the claim editor within the Identity Provider Configuration Editor.
- Determine whether the Groups should be sent using CommonName or SID
Navigate to the Identity Claims tab.
Click on the 'Create' button to create a new claim
Define a name for this claim in the 'Name' field (i.e. 'Groups')
- Navigate to the PortalGuard server and open the Identity Provider Configuration Editor.
- Navigate to the SAML Websites tab and edit the Relying Party that needs a claim for Group information.
The 'Schema Type' corresponds to the attribute 'Name' value that the SP is looking for.
- This value will only be used as a reference point in the Identity Provider Configuration Editor and is NOT sent alongside the Claim during SSO.
The 'Value Type' will be set to either 'Groups (CommonName Only)' or 'Groups(As SIDs)' depending on how the claim should be sent.
You may use the Group Whitelist sub-tab to determine a subset of groups that CAN be released.
- Oftentimes, the SP will require the claim to be sent with an attribute 'Name' formatted with 'urn...'
- If you are unsure, click the 'Pre-defined Types' button and choose an option from the dropdown.
- For Groups sent as CommonName, use 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role'
- For Groups sent as SID, use 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid'
Your final result should resemble the following if sending Groups as CommonName:
Save the new claim.
Save the Relying Party Configuration.
From the main screen of the Identity Provider Configuration Editor, click the 'Apply to Identity Provider' button.
Click the 'Sync' button.
- By default, all groups that a user is a member of will be released within the claim unless a whitelist is determined here.
REV. 09/2018 | PortalGuard