Group retrieval via URL not working

XMLWordPrintable

    • Type: Bug
    • Resolution: Not A Defect
    • Priority: Minor
    • Component/s: saml-plugin

      We are using the SAML plugin to enable SSO with Active Directory:

      securityRealm:
    saml:
      advancedConfiguration:
        forceAuthn: true
        spEntityId: "spn:<app-id>"
      binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
      displayNameAttributeName: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
      emailAttributeName: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
      groupsAttributeName: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
      idpMetadataConfiguration:
        period: 1440
        url: "https://login.microsoftonline.com/<not-sure-if-this-needs-to-be-secret>/federationmetadata/2007-06/federationmetadata.xml?appid=<app-id>"
      maximumAuthenticationLifetime: 86400
      usernameAttributeName: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
      usernameCaseConversion: "lowercase"

      We have a user that is part of many AD groups such that the SAML token upon authentication contains a URL to further retrieve the user's group list:

      <AttributeĀ Name="http://schemas.microsoft.com/claims/groups.link"><AttributeValue>https://graph.windows.net/<not-sure-if-this-needs-to-be-secret>/users/<id>/getMemberObjects</AttributeValue></Attribute>

      But the plugin does not appear to properly retrieve the groups from the linked URL.Ā  Is this a bug, or am I missing something in the plugin configuration?

            Assignee:
            Ivan Fernandez Calvo
            Reporter:
            Camden Mamigonian
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: