You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.

Looking for the Diagnostic Utility?

Click Here For Download and Usage Instructions

How to Send Groups Within a Claim for SAML SSO


Your want to send Groups as a SAML claim for Single Sign-On.


Use either the 'Groups (CommonName Only)' or 'Groups(As SIDs)' value type in the claim editor within the Identity Provider Configuration Editor.


  • Determine whether the Groups should be sent using CommonName or SID 


  1. Navigate to the PortalGuard server and open the Identity Provider Configuration Editor.
  2. Navigate to the SAML Websites tab and edit the Relying Party that needs a claim for Group information.
  3. Navigate to the Identity Claims tab.
  4. Click on the 'Create' button to create a new claim
  5. Define a name for this claim in the 'Name' field (i.e. 'Groups')
    • This value will only be used as a reference point in the Identity Provider Configuration Editor and is NOT sent alongside the Claim during SSO.
  6. The 'Schema Type' corresponds to the attribute 'Name' value that the SP is looking for. 
    • Oftentimes, the SP will require the claim to be sent with an attribute 'Name' formatted with 'urn...'
    • If you are unsure, click the 'Pre-defined Types' button and choose an option from the dropdown.
      • For Groups sent as CommonName, use ''
      • For Groups sent as SID, use ''
  7. The 'Value Type' will be set to either 'Groups (CommonName Only)' or 'Groups(As SIDs)' depending on how the claim should be sent.
  8. You may use the Group Whitelist sub-tab to determine a subset of groups that CAN be released.
    • By default, all groups that a user is a member of will be released within the claim unless a whitelist is determined here.
  9. Your final result should resemble the following if sending Groups as CommonName:
    • PortalGuard SAML - Groups Claim
  10. Save the new claim. 
  11. Save the Relying Party Configuration.
  12. From the main screen of the Identity Provider Configuration Editor, click the 'Apply to Identity Provider' button. 
  13. Click the 'Sync' button.

REV. 09/2018 | PortalGuard

  • 58
  • 07-Sep-2018