[IdP] Azure groups not passed to Outsystems

Forge Component
(40)
Published on 4 Nov by Telmo Martins
40 votes
Published on 4 Nov by Telmo Martins

I successfully configured IdP and IdP mobile against our Azure Active Directory by using this instruction. Users can login with their Azure Active Directory account on traditional and mobile apps. Also the users are automatically created in the OutSystems Users database.

On the Azure Active Directory admin center I added an additional group claim like below

Unfortunately the AAD group memberships are not passed to OutSystems.

I created a group in the Users application with the name matching the Azure GUID and assigned an user to a role named KCT containing this group. On our mobile app I added this KCT role and checked it .

The assigned user is not able to login.
Am I doing something wrong?

Hello Raymond,


I've not configured IdP with Azure AD yet, only others providers like (Okta end OpenAM ForgeRock), but since the authentication is working well, I would suggest to you verify SAML Message Logs available in your IdP installation under <YOURHOST>/IdP/SamlMessageLogs.aspx  and look for AuthResponse message for the error use case and take a look at the SAML package, specifically on how groups are returned by Azure AD (and if it is returned). As other atributes, name claim's must match exactly in both sides (Azure AD and IdP). Note that user groups could be an array, so, IdP configuration could split it using character separation. 


If the configuration seems good after looking SAML logs you could debug the login and auto provider user process on IdP side; depends on how information are arriving from SAML package, could be necessary some customization on IdP flow.


Hope this helps.


Tiago



Tiago Evangelista de Resende wrote:

Hello Raymond,


I've not configured IdP with Azure AD yet, only others providers like (Okta end OpenAM ForgeRock), but since the authentication is working well, I would suggest to you verify SAML Message Logs available in your IdP installation under <YOURHOST>/IdP/SamlMessageLogs.aspx  and look for AuthResponse message for the error use case and take a look at the SAML package, specifically on how groups are returned by Azure AD (and if it is returned). As other atributes, name claim's must match exactly in both sides (Azure AD and IdP). Note that user groups could be an array, so, IdP configuration could split it using character separation. 


If the configuration seems good after looking SAML logs you could debug the login and auto provider user process on IdP side; depends on how information are arriving from SAML package, could be necessary some customization on IdP flow.


Hope this helps.


Tiago



Hi Tiago this helps a lot, thanks !

I see the SamlMessageLogs (with Saml Message Type = "LoginRepsonse") that the Saml Message contains the group attribute like below:

<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"><AttributeValue>580792a7-28f5-4803-975c-fef0e09c2807</AttributeValue><AttributeValue>00062a10-f3cd-4730-9bd8-99528f121d42</AttributeValue></Attribute>

On the Test Saml Message tab I see the group claim also and it is comma separated like below.

http://schemas.microsoft.com/ws/2008/06/identity/claims/groups: 580792a7-28f5-4803-975c-fef0e09c2807,00062a10-f3cd-4730-9bd8-99528f121d42

So I assume they arrive in OutSystems but somehow they are not picked up correctly.

Can you give me some helping directions where and how I should debug idP?


I tried to debug it but as you can see the if statement HasClaims is false

SyntaxEditor Code Snippet

GetUserSessionClaimByUserSessionId.List.Current.UserSessionClaims.UserSessionId <> NullIdentifier() and BinaryDataSize(GetUserSessionClaimByUserSessionId.List.Current.UserSessionClaims.Claims) > 0


Raymond Vermeer wrote:

Tiago Evangelista de Resende wrote:

Hello Raymond,


I've not configured IdP with Azure AD yet, only others providers like (Okta end OpenAM ForgeRock), but since the authentication is working well, I would suggest to you verify SAML Message Logs available in your IdP installation under <YOURHOST>/IdP/SamlMessageLogs.aspx  and look for AuthResponse message for the error use case and take a look at the SAML package, specifically on how groups are returned by Azure AD (and if it is returned). As other atributes, name claim's must match exactly in both sides (Azure AD and IdP). Note that user groups could be an array, so, IdP configuration could split it using character separation. 


If the configuration seems good after looking SAML logs you could debug the login and auto provider user process on IdP side; depends on how information are arriving from SAML package, could be necessary some customization on IdP flow.


Hope this helps.


Tiago



Hi Tiago this helps a lot, thanks !

I see the SamlMessageLogs (with Saml Message Type = "LoginRepsonse") that the Saml Message contains the group attribute like below:

<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"><AttributeValue>580792a7-28f5-4803-975c-fef0e09c2807</AttributeValue><AttributeValue>00062a10-f3cd-4730-9bd8-99528f121d42</AttributeValue></Attribute>

On the Test Saml Message tab I see the group claim also and it is comma separated like below.

http://schemas.microsoft.com/ws/2008/06/identity/claims/groups: 580792a7-28f5-4803-975c-fef0e09c2807,00062a10-f3cd-4730-9bd8-99528f121d42

So I assume they arrive in OutSystems but somehow they are not picked up correctly.

Can you give me some helping directions where and how I should debug idP?


Hi Raymond!

Unfortunately I'm unable to access my environment for now to give you more detailed info about debug; I remember a server action named as ProcessClaim, ClaimProcess (or something like that). Another way is to find where Users Application Action's is used from dependencies in IdP to look where the groups inclusion should occurs to pin a break point there.  


Suddenly the groups are created in OutSystems.

I changed 2 things:

1. the value of the group Claim from: user.groups [All] to : user.groups [SecurityGroup]

2. the claim name changed from the IdP configuration screen: http://schemas.xmlsoap.org/claims/Group to: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

Solution

Raymond Vermeer wrote:

Suddenly the groups are created in OutSystems.

I changed 2 things:

1. the value of the group Claim from: user.groups [All] to : user.groups [SecurityGroup]

2. the claim name changed from the IdP configuration screen: http://schemas.xmlsoap.org/claims/Group to: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

Nice! 

If you think that my answer helped you, please, mark it as a solution. 

Regards, 

Tiago 


Solution