25,128 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 67%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECC%3C/text%3E%3C/svg%3E)
This can be closed as I have found by myself a solution to this.
How to build a Role claim using user group membership
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 40%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECC%3C/text%3E%3C/svg%3E)
Cristian Csiki
0
Reputation points
Hi,
I am trying to map the Azure user to an AWS role when the user does SSO. I can send 1 claim as:
Claim Name: Role
Namespace: https://aws.amazon.com/SAML/Attributes
Source attribute: arn:aws:iam::123456789:role/user/AWSRole/AWSRole,arn:aws:iam::123456789:saml-provider/AzurePOC
But in this case I only send the Role claim with 1 value to AWS. I need to send the Role claim as an array of attributes with all the group membership the user is assigned to, which either start with a constant or match a string. Ex:
Is there any way I can build this logic?
Thank you.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Other
2,597 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator2023-11-14T14:35:55.0033333+00:00 Thank you for posting this in Microsoft Q&A.
I am looking into this issue and will get back to you post my research.
-
Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator
2023-11-15T06:20:31.0633333+00:00 The example that you have put in your question in empty.
Let's try to work on this issue offline.
Please send us an email on azcommunity [at] microsoft [dot] com with Sub - Attn: Sandeg and following details in the email body:
Link to this thread/post
We can connect offline and discuss further on this.
-
Cristian Csiki 0 Reputation points
2023-11-15T07:59:21.6+00:00 Hi Sandeep,
Thank you for your reply.
Indeed, the XML content didn't save for some reason. I did send you an email to the indicated address and here is the missing XML code:
We are assessing the move our identity services to Azure and part of this move, we need to evaluate the support for all our SSO apps. I need to be able to send an array of values as an attribute, as the example below: <Attribute Name=https://aws.amazon.com/SAML/Attributes/Role NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <AttributeValue>arn:aws:iam:: 123456789:role/user/AWSRole1/ AWSRole1,arn:aws:iam:: 123456789:saml-provider/Idaptive</AttributeValue> <AttributeValue>arn:aws:iam:: 123456789:role/user/AWSRole2/ AWSRole2,arn:aws:iam:: 123456789:saml-provider/Idaptive</AttributeValue> <AttributeValue>arn:aws:iam:: 123456789:role/user/ AWSRole3/ AWSRole3,arn:aws:iam:: 123456789:saml-provider/Idaptive</AttributeValue> <AttributeValue>arn:aws:iam:: 123456789:role/user/ AWSRole4/AWSRole4,arn:aws:iam:: 123456789:saml-provider/Idaptive</AttributeValue> <AttributeValue>arn:aws:iam:: 123456789:role/user/ AWSRole5/AWSRole5,arn:aws:iam:: 123456789:saml-provider/Idaptive</AttributeValue> </Attribute>
Sign in to comment