Microsoft Entra
A group of Microsoft multicloud identity and access solutions.
2,555 questions
Azure AD Groups Claim only contains 1 Group but user is assigned to multiple Groups
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 22%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELS%3C/text%3E%3C/svg%3E)
Loran Saggu
0
Reputation points
I am using Azure AD (Entra) as an Identity Provider (IdP) for an SAML SSO Connection into Salesforce (the service provider). We would like to receive Group Membership in the SAML response from Azure. We have specified that our Group Claim should include All Groups. The issue is that when we receive the claim in Salesforce, we only see a single Group Id when the user is assigned to multiple groups in Azure...
We are on a free tier (while testing) in Azure. Is there anything that we should be doing to obtain all group ids in the claim in Salesforce?
Config in Azure:
Response in Salesforce (there is only 1 group Id where there should be 3):
{"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname":"Person","http://schemas.microsoft.com/claims/authnmethodsreferences":"http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":"******@testssooutlook.onmicrosoft.com","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname":"Test","http://schemas.microsoft.com/identity/claims/objectidentifier":"9ddec433-1fb2-4ed3-bfba-209a90cbebd5","http://schemas.microsoft.com/identity/claims/identityprovider":"https://sts.windows.net/107be8f6-e69c-4de9-b304-a8785a6d531f/","http://schemas.microsoft.com/identity/claims/tenantid":"107be8f6-e69c-4de9-b304-a8785a6d531f","http://schemas.microsoft.com/ws/2008/06/identity/claims/wids":"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3","http://schemas.microsoft.com/ws/2008/06/identity/claims/groups":"33514b82-a659-4247-a2f2-44674d9ec1b3","http://schemas.microsoft.com/identity/claims/displayname":"Test Person"}
{count} votes
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,511 Reputation points2023-10-06T00:51:56.0166667+00:00 Hello @Loran Saggu , what type of groups are the ones missing? Security? Unified (Microsoft 365), DL, Dynamic?
-
Loran Saggu 0 Reputation points
2023-10-06T08:59:20.5566667+00:00 Hello @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA - The groups are all Security groups (including the group that is included in the claim). If I remove group membership from the group included in the claim, the next claim includes the group Id of one of the other groups the user is a member of. Entra appears to just be grabbing the first group the user belongs to and adding it to the response.
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,511 Reputation points
2023-10-06T17:59:45.53+00:00 Is one of those 2 groups related? Member of the other?
Sign in to comment
Sign in to answer