cancel
Showing results for 
Search instead for 
Did you mean: 

SAML Assertions in role mapping

Contributor

SAML Assertions in role mapping

We've recently configured an SA running 8.0R5 as a service provider with a Microsoft ADFS server on Server 2012 as the iDP. We can authenticate fine and the post is all working. We are now trying to take this a stage further to use claims returned in the assertion for stating which services the users are permitted access to. These are essentailly created by the ADFS server based on the users AD group membership. However a policy trace on the SA shows it reutrned as:

 

userAttr..http://schemas.xmlsoap.org/claims/Group = "Group1 Group2"

samlMultiValAttr.http://schemas.xmlsoap.org/claims/Group = "Group1", "Group2"

userAttr..http://schemas.microsoft.com/ws/2008/06/identity/claims/role"Group1 Group2"

samlMultiValAttr.http://schemas.microsoft.com/ws/2008/06/identity/claims/role"Group1", "Group2"

 

We have tried using this in a custom expression but can't due to the http://schemas.xmlsoap.org in the variable name, any suggests how to use the groups returned in SAML to control access?

1 REPLY 1
New Member

Re: SAML Assertions in role mapping

Using version 9.0R1.01, I found I'm able to use a backslash to escape the dots in the namespace. I also found that samlMultiVarAttr is not present if there is only one element in the list, so you have to account for both cases:

  • Match if there is exactly one role, and it's named "Role1":
    userAttr.{http://schemas\.microsoft\.com/ws/2008/06/identity/claims/role} = 'Role1'
  • Match if there are multiple roles, and at least one of them is "Role1":
    samlMultiValAttr.{http://schemas\.microsoft\.com/ws/2008/06/identity/claims/role} = 'Role1'

My resulting expression to match if any of the roles is "Role1":

userAttr.{http://schemas\.microsoft\.com/ws/2008/06/identity/claims/role} = 'Role1' OR
samlMultiValAttr.{http://schemas\.microsoft\.com/ws/2008/06/identity/claims/role} = 'Role1'