I successfully configured IdP and IdP mobile against our Azure Active Directory by using this instruction. Users can login with their Azure Active Directory account on traditional and mobile apps. Also the users are automatically created in the OutSystems Users database.
On the Azure Active Directory admin center I added an additional group claim like below
Unfortunately the AAD group memberships are not passed to OutSystems.
I created a group in the Users application with the name matching the Azure GUID and assigned an user to a role named KCT containing this group. On our mobile app I added this KCT role and checked it .
The assigned user is not able to login.Am I doing something wrong?
Raymond Vermeer wrote:
Suddenly the groups are created in OutSystems.
I changed 2 things:
1. the value of the group Claim from: user.groups [All] to : user.groups [SecurityGroup]
2. the claim name changed from the IdP configuration screen: http://schemas.xmlsoap.org/claims/Group to: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
Nice!
If you think that my answer helped you, please, mark it as a solution.
Regards,
Tiago
Hello Raymond,
I've not configured IdP with Azure AD yet, only others providers like (Okta end OpenAM ForgeRock), but since the authentication is working well, I would suggest to you verify SAML Message Logs available in your IdP installation under <YOURHOST>/IdP/SamlMessageLogs.aspx and look for AuthResponse message for the error use case and take a look at the SAML package, specifically on how groups are returned by Azure AD (and if it is returned). As other atributes, name claim's must match exactly in both sides (Azure AD and IdP). Note that user groups could be an array, so, IdP configuration could split it using character separation.
If the configuration seems good after looking SAML logs you could debug the login and auto provider user process on IdP side; depends on how information are arriving from SAML package, could be necessary some customization on IdP flow.
Hope this helps.
Tiago Evangelista de Resende wrote:
Hi Tiago this helps a lot, thanks !
I see the SamlMessageLogs (with Saml Message Type = "LoginRepsonse") that the Saml Message contains the group attribute like below:
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"><AttributeValue>580792a7-28f5-4803-975c-fef0e09c2807</AttributeValue><AttributeValue>00062a10-f3cd-4730-9bd8-99528f121d42</AttributeValue></Attribute>
On the Test Saml Message tab I see the group claim also and it is comma separated like below.
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups: 580792a7-28f5-4803-975c-fef0e09c2807,00062a10-f3cd-4730-9bd8-99528f121d42
So I assume they arrive in OutSystems but somehow they are not picked up correctly.
Can you give me some helping directions where and how I should debug idP?
Hi Raymond!
Unfortunately I'm unable to access my environment for now to give you more detailed info about debug; I remember a server action named as ProcessClaim, ClaimProcess (or something like that). Another way is to find where Users Application Action's is used from dependencies in IdP to look where the groups inclusion should occurs to pin a break point there.
I tried to debug it but as you can see the if statement HasClaims is false
SyntaxEditor Code Snippet
GetUserSessionClaimByUserSessionId.List.Current.UserSessionClaims.UserSessionId <> NullIdentifier() and BinaryDataSize(GetUserSessionClaimByUserSessionId.List.Current.UserSessionClaims.Claims) > 0
Hi Tiago and Raymond,
WE have a similar setup as Raymond but I'm unable to see the Azure groups in OutSystems Users or even in the SAML logs. Please find attached the screenshots of our configuration and a sample LoginResponse SAML message.
Am I missing some steps here?
Krishanu
This is my LoginResponse screenshot.
On your screenshot I can't see the full Groups URL but it should be:
Maybe a second update on the Azure AD configuration will help to get the groups coming into OutSystems.....
Hi Raymond,
We've updated Azure AD, but the groups are still not coming through in LoginResponse.
Should we check for anything else in Azure AD or IdP?
Krishanu Deb Roy wrote:
Groups are now getting created in OutSystems (after re-importing the xml in IdP) but as multiple strings of alphanum characters as in your example. How do we get the group names as assigned in Azure AD?
Hi Krishanu,
you can't unfortunately.
Azure is not passing the group names into the SAML Claims to OutSystems.
You have to fill it in manually in the description field on the OutSystems side in the Users application.
Reason for this is that group names are not unique in Azure AD, only the object id of the group.