How to get group-name of Azure Entra ID 's saml Claime

yama 0 Reputation points
2023-11-07T05:17:58.8666667+00:00

Situation: SAML authentication is performed using the Azure Entra ID as the IDP. I want to use the group ID on the Azure side for single sign-on authentication. We are considering operating it in a form where Attribute is not used due to internal circumstances.

Issue: The objectID of the Azure Entra ID group can be obtained, but the group name cannot be obtained, so I want to pass it as claim information using Regex

What I want to solve: I want to know how to use group names during SAML authentication for Azure Entra ID and how to troubleshoot.

What was investigated

https://learn.microsoft.com/ja-jp/entra/identity/hybrid/connect/how-to-connect-fed-group-claims

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,449 questions
{count} votes

2 answers

Sort by: Most helpful
  1. James Hamil 26,026 Reputation points Microsoft Employee
    2023-11-08T21:02:31.1633333+00:00

    Hi @yama , you can use the name claim type. The name claim type is used to represent the display name of the group. Here's an example of how to extract the group name from a SAML claim using regex in C#:

    using System.Text.RegularExpressions;
    
    // Example SAML claim
    string samlClaim = "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups: {group-object-id}";
    
    // Extract the group object ID from the SAML claim
    string groupObjectId = Regex.Match(samlClaim, @"{(.+?)}").Groups[1].Value;
    
    // Get the group name from Azure AD using the group object ID
    string groupName = await graphClient.Groups[groupObjectId].Request().Select("displayName").GetAsync().Result.DisplayName;
    

    The samlClaim variable contains the SAML claim that includes the group object ID. The Regex.Match method is used to extract the group object ID from the SAML claim using a regular expression. The graphClient variable is an instance of the Microsoft Graph client, which is used to retrieve the group name from Azure AD using the group object ID. The Select method is used to specify that only the displayName property should be returned. The GetAsync method is used to retrieve the group object from Azure AD, and the DisplayName property is used to get the group name.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    0 comments No comments

  2. billy 0 Reputation points
    2024-08-02T09:09:10.38+00:00

    Hi James,

    I want to try this approach, but calling the group API, need OAuth2 Bearer token. The token I received as SAML assertion, is not suitable for Graph API, neither I found any documentation of exchanging OIDC token by SAML token.

    Thanks

    Billy

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.