How to Send Groups Within a Claim for SAML SSO

Owned by Stephen Call (Deactivated)
Last updated: Nov 10, 2021
2 min read

Problem

Your want to send Groups as a SAML claim for Single Sign-On.

Solution

Use either the 'Groups (CommonName Only)' or 'Groups(As SIDs)' value type in the claim editor within the Identity Provider Configuration Editor.

Requirements:

  • Determine whether the Groups should be sent using CommonName or SID 

Steps:

  1. Navigate to the PortalGuard server and open the Identity Provider Configuration Editor.

  2. Navigate to the SAML Websites tab and edit the Relying Party that needs a claim for Group information.

  3. Navigate to the Identity Claims tab.

  4. Click on the 'Create' button to create a new claim

  5. Define a name for this claim in the 'Name' field (i.e. 'Groups')

    • This value will only be used as a reference point in the Identity Provider Configuration Editor and is NOT sent alongside the Claim during SSO.

  6. The 'Schema Type' corresponds to the attribute 'Name' value that the SP is looking for. 

    • Oftentimes, the SP will require the claim to be sent with an attribute 'Name' formatted with 'urn...'

    • If you are unsure, click the 'Pre-defined Types' button and choose an option from the dropdown.

      • For Groups sent as CommonName, use 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role'

      • For Groups sent as SID, use 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid'

  7. The 'Value Type' will be set to either 'Groups (CommonName Only)' or 'Groups(As SIDs)' depending on how the claim should be sent.

  8. You may use the Group Whitelist sub-tab to determine a subset of groups that CAN be released.

    • By default, all groups that a user is a member of will be released within the claim unless a whitelist is determined here.

  9. Your final result should resemble the following if sending Groups as CommonName:

  10. Save the new claim. 

  11. Save the Relying Party Configuration.

  12. From the main screen of the Identity Provider Configuration Editor, click the 'Apply to Identity Provider' button. 

  13. Click the 'Sync' button.