[IdP] Azure groups not passed to Outsystems

Forge Component
(43)
Published on 5 Jun by Leonardo Fernandes
43 votes
Published on 5 Jun by Leonardo Fernandes

I successfully configured IdP and IdP mobile against our Azure Active Directory by using this instruction. Users can login with their Azure Active Directory account on traditional and mobile apps. Also the users are automatically created in the OutSystems Users database.

On the Azure Active Directory admin center I added an additional group claim like below

Unfortunately the AAD group memberships are not passed to OutSystems.

I created a group in the Users application with the name matching the Azure GUID and assigned an user to a role named KCT containing this group. On our mobile app I added this KCT role and checked it .

The assigned user is not able to login.
Am I doing something wrong?

Hello Raymond,


I've not configured IdP with Azure AD yet, only others providers like (Okta end OpenAM ForgeRock), but since the authentication is working well, I would suggest to you verify SAML Message Logs available in your IdP installation under <YOURHOST>/IdP/SamlMessageLogs.aspx  and look for AuthResponse message for the error use case and take a look at the SAML package, specifically on how groups are returned by Azure AD (and if it is returned). As other atributes, name claim's must match exactly in both sides (Azure AD and IdP). Note that user groups could be an array, so, IdP configuration could split it using character separation. 


If the configuration seems good after looking SAML logs you could debug the login and auto provider user process on IdP side; depends on how information are arriving from SAML package, could be necessary some customization on IdP flow.


Hope this helps.


Tiago



Tiago Evangelista de Resende wrote:

Hello Raymond,


I've not configured IdP with Azure AD yet, only others providers like (Okta end OpenAM ForgeRock), but since the authentication is working well, I would suggest to you verify SAML Message Logs available in your IdP installation under <YOURHOST>/IdP/SamlMessageLogs.aspx  and look for AuthResponse message for the error use case and take a look at the SAML package, specifically on how groups are returned by Azure AD (and if it is returned). As other atributes, name claim's must match exactly in both sides (Azure AD and IdP). Note that user groups could be an array, so, IdP configuration could split it using character separation. 


If the configuration seems good after looking SAML logs you could debug the login and auto provider user process on IdP side; depends on how information are arriving from SAML package, could be necessary some customization on IdP flow.


Hope this helps.


Tiago



Hi Tiago this helps a lot, thanks !

I see the SamlMessageLogs (with Saml Message Type = "LoginRepsonse") that the Saml Message contains the group attribute like below:

<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"><AttributeValue>580792a7-28f5-4803-975c-fef0e09c2807</AttributeValue><AttributeValue>00062a10-f3cd-4730-9bd8-99528f121d42</AttributeValue></Attribute>

On the Test Saml Message tab I see the group claim also and it is comma separated like below.

http://schemas.microsoft.com/ws/2008/06/identity/claims/groups: 580792a7-28f5-4803-975c-fef0e09c2807,00062a10-f3cd-4730-9bd8-99528f121d42

So I assume they arrive in OutSystems but somehow they are not picked up correctly.

Can you give me some helping directions where and how I should debug idP?


I tried to debug it but as you can see the if statement HasClaims is false

SyntaxEditor Code Snippet

GetUserSessionClaimByUserSessionId.List.Current.UserSessionClaims.UserSessionId <> NullIdentifier() and BinaryDataSize(GetUserSessionClaimByUserSessionId.List.Current.UserSessionClaims.Claims) > 0


Raymond Vermeer wrote:

Tiago Evangelista de Resende wrote:

Hello Raymond,


I've not configured IdP with Azure AD yet, only others providers like (Okta end OpenAM ForgeRock), but since the authentication is working well, I would suggest to you verify SAML Message Logs available in your IdP installation under <YOURHOST>/IdP/SamlMessageLogs.aspx  and look for AuthResponse message for the error use case and take a look at the SAML package, specifically on how groups are returned by Azure AD (and if it is returned). As other atributes, name claim's must match exactly in both sides (Azure AD and IdP). Note that user groups could be an array, so, IdP configuration could split it using character separation. 


If the configuration seems good after looking SAML logs you could debug the login and auto provider user process on IdP side; depends on how information are arriving from SAML package, could be necessary some customization on IdP flow.


Hope this helps.


Tiago



Hi Tiago this helps a lot, thanks !

I see the SamlMessageLogs (with Saml Message Type = "LoginRepsonse") that the Saml Message contains the group attribute like below:

<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"><AttributeValue>580792a7-28f5-4803-975c-fef0e09c2807</AttributeValue><AttributeValue>00062a10-f3cd-4730-9bd8-99528f121d42</AttributeValue></Attribute>

On the Test Saml Message tab I see the group claim also and it is comma separated like below.

http://schemas.microsoft.com/ws/2008/06/identity/claims/groups: 580792a7-28f5-4803-975c-fef0e09c2807,00062a10-f3cd-4730-9bd8-99528f121d42

So I assume they arrive in OutSystems but somehow they are not picked up correctly.

Can you give me some helping directions where and how I should debug idP?


Hi Raymond!

Unfortunately I'm unable to access my environment for now to give you more detailed info about debug; I remember a server action named as ProcessClaim, ClaimProcess (or something like that). Another way is to find where Users Application Action's is used from dependencies in IdP to look where the groups inclusion should occurs to pin a break point there.  


Suddenly the groups are created in OutSystems.

I changed 2 things:

1. the value of the group Claim from: user.groups [All] to : user.groups [SecurityGroup]

2. the claim name changed from the IdP configuration screen: http://schemas.xmlsoap.org/claims/Group to: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

Solution

Raymond Vermeer wrote:

Suddenly the groups are created in OutSystems.

I changed 2 things:

1. the value of the group Claim from: user.groups [All] to : user.groups [SecurityGroup]

2. the claim name changed from the IdP configuration screen: http://schemas.xmlsoap.org/claims/Group to: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

Nice! 

If you think that my answer helped you, please, mark it as a solution. 

Regards, 

Tiago 


Solution

Hi Tiago and Raymond,

WE have a similar setup as Raymond but I'm unable to see the Azure groups in OutSystems Users or even in the SAML logs. Please find attached the screenshots of our configuration and a sample LoginResponse SAML message.

Am I missing some steps here?


Regards,

Krishanu

This is my LoginResponse screenshot.

On your screenshot I can't see the full Groups URL but it should be: 

http://schemas.microsoft.com/ws/2008/06/identity/claims/groups and containing a comma separated list of Azure AD groupid's

Also in the Azure Portal this URL must be mapped to GroupID


Maybe a second update on the Azure AD configuration will help to get the groups coming into OutSystems.....

Hi Raymond,

We've updated Azure AD, but the groups are still not coming through in LoginResponse.


Should we check for anything else in Azure AD or IdP?


Regards,

Krishanu

Krishanu Deb Roy wrote:

Hi Raymond,

We've updated Azure AD, but the groups are still not coming through in LoginResponse.


Should we check for anything else in Azure AD or IdP?


Regards,

Krishanu

Hi Raymond,

Groups are now getting created in OutSystems (after re-importing the xml in IdP) but as multiple strings of alphanum characters as in your example. How do we get the group names as assigned in Azure AD?

Regards,

Krishanu


Hi Krishanu,


you can't unfortunately.

Azure is not passing the group names into the SAML Claims to OutSystems.

You have to fill it in manually in the description field on the OutSystems side in the Users application.

Reason for this is that group names are not unique in Azure AD, only the object id of the group.