Share via

Azure AD SSO SAML

WHTA (Senthil A) 0 Reputation points
2024-05-18T17:03:09.4366667+00:00

We have 2 groups created in Azure AD SSO and users are added to the group. MEMBERS & ADMINS are the group name. We have created an application that will use Cognito as service provider with Azure AD SSO as an identity provider. We would like to have the group name (MEMBERS/ ADMINS) once the users are authenticated through Azure AD SSO. This is required in the application to provide entitlements based on the role of the user accessing the application. What SAML attributes need to be mapped in the Attributes & Claims part of Azure Single Sign On.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,947 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. hossein jalilian 4,385 Reputation points
    2024-05-18T22:27:13.4733333+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    You need to configure the "Attributes & Claims" section in the Azure AD application.

    1. In the Azure Active Directory admin center, navigate to the Enterprise Applications section and select your application. under the Manage section, click on Single sign-on.
    2. Select the SAML option and click on the Edit button next to the User Attributes & Claims section.
    3. In the User Attributes & Claims section, you can add new claims to map the Azure AD group names. click on Add new claim and select the claim type as Groups assigned to the user .
    4. For the Source attribute field, select the appropriate attribute that represents the group names in your Azure AD. This is typically the tokenGroups attribute. for the Source ID field, you can leave it blank or provide a custom value if required by your application.
    5. In the Namespace field, you can specify the namespace for the claim, if required by your application.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    0 comments
  2. Sandeep G-MSFT 15,241 Reputation points Microsoft Employee
    2024-05-20T18:16:56.27+00:00

    @WHTA (Senthil A)

    Thank you for posting this in Microsoft Q&A.

    As I understand you have an application which is configured with Azure AD for SSO. You are looking for Azure AD to send groups names to which authenticated user is part of.

    This can be achieved by configuring group claims in Azure AD for the application.

    You can follow below steps for the same,

    • Login to Azure portal with Global admin credentials.
    • Now access "Microsoft Entra ID" on the left side of the page.
    • Access Manage>>App registrations and search for application that you have configured for SSO.
    • Now click on Manage and click on "Token configuration"
    • On the right side click on "Add groups claim" option on the top.
    • Now you can select the option that you are looking for and get the claims in the output token .
    • Depending on what authentication protocol you have used to configure for application, you can select that option.

    User's image

    You can also refer below article for more information.

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims

    Let us know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments