When using SAML SSO with Azure as the provider, some additional configuration is required to read the groups and map roles.
When groups are pulled from Azure Active Directory SSO and more than five groups are assigned to a user, the group claims return as a link, rather than the groups list:
<Attribute Name="http://schemas.microsoft.com/claims/groups.link">
Note Go to https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-saml-tokens for more information about SAML security tokens
Note For customers who have setup and configured the application to return groups that are only present in the SSO application, this issue is not applicable.
When Azure SSO sends a group.link assertion, the application tries to resolve the groups via the link. To activate the link, you must configure the SAML_GROUPS_LINK_PROP property.
Steps
-
Add the following property to your owl-env.sh file:
Property Description SAML_GROUPS_LINK_PROP Configure this property equal to the group link claim name.
Go to SAML Authentication for more information about configuring SAML authentication properties.
-
Obtain a client key from Azure and configure both
AZURE_CLIENT_SECRETandAZURE_CLIENT_IDproperties, using the following documentation:Note You must also ensure that the application, not delegate, has the MS Graph API application permission directory.read.all.
Note In the IdP setup in Azure, verify that the Sign-on URL is not populated.