[IdP] IdP with AADP - Fun with groups

[IdP] IdP with AADP - Fun with groups

Forge Component
Published on 4 Jul by Telmo Martins
25 votes
Published on 4 Jul by Telmo Martins

First of can I congratulate you - I've installed IdP and got it working with AADP today - this was an absolute piece of cake to do and it's to your credit.

But (you knew there was a but) I have an issue with Groups in the Users application.

If I add my User to a Group called Administrators and then login as my user I seem to be immediately removed from that group. The only group I persist in is IdP_Onboarding.

The user does retain Application Roles however (I added it to the IdP_Administrator role, and can still use that).

Any ideas what would be removing me from Groups? And how I can persuade it to work better for me?

Thanks in advance,


FWIW, I am 80% sure that the deletion takes place in SAML_Groups_Process.
AADP isn't returning any groups in the claim, so i think this deletes me out of my groups, and then doesn't add me back in to anything as it doesn't know what to add me to.

Currently, I am thinking that I would just delete the calls to this process from Auth\IdP\Prepartion and UserLogin_MobileOSIdPServer.

Yes, this leaves me with an upgrade headache, and a standalone management headache for Groups, but then the functionality works as I am expecting it to again.

Alternatively, there could be a "process groups" boolean added to IdP configuration, which allows switching between the the IdP provider managing the groups and the default Users application managing the groups.

Which would be more acceptable?


Hi Gavin,

Thank you.

Usually by default we want to rely on the groups returned on the saml assertion. However in some installations we may not rely on those and manage by "ourselves" the groups that each user belongs.

I would suggest a boolean property to process and rely on the assertion groups, or just don't do anything (ie, do not add or remove the current groups that the user belongs to).

That's actually a good point, I'll try to include it in the next version that I'm working on that should came out in the next days.

From your side to quickly achieve that you can for instance add a site property to check if you want to call SAML_Groups_Process.