Azure: SAML setup for groups

I'm currently in the process of setting up SAML for Azure Active Directory. Due to the amount of users in the environment, we are wanting to use groups to control this. At this point I have the Azure Application created and configured. I have also completed the SAML configuration within Orion.

If I have my test user added to the Azure Application Users and Groups, and have the individual SAML account added to Orion, I can successfully complete the SAML configuration test.

I have not been able to get it setup with groups at this time.

On the Azure front:
Group(s) have been added to "Users and Groups"
Under Attributes & Claims, I have added the claim OrionGroups and have that set with the value "user.groups"
User has been added to the group

On the Orion side,
Under Accounts, I have added the SAML group via the Group Name
Additionally, tried to add the SAML group via the Object ID

When running the test I receive the message:

User ID 'USERINFO' has not been matched to any SAML individual account or SAML group.

If I run the test with a user that is not in one of the Azure groups, I do receive the Microsoft unauthorized message.

Any thoughts?

Find more posts tagged with

Azure

saml

Accepted answers

SteveK

Looks like I figured out the issue.

Inside the SAML claim piece, I ended up deleting my original "OrionGroups" option.

I then selected "Add a group claim" instead of "Add new claim"

Which groups associated with the user should be returned in the caim: Groups assigned to the application

Source Attribute: Group ID

Advanced Options

Customize the name of the group claim: Enable/Check

Name (required): OrionGroups

When creating the SAML Group on the Orion side, the group name needs to be the group idea.

------
Additionally, I tested out 2 other approaches and both appear to work. The end result is you can supply the Azure Group name to SolarWinds instead of the Object ID.

The first approach was replacing the OrionGroups with a New Claim. I set it to conditional and linked each of my groups where the value is the display name. The main annoyance with this piece is you will need to add/remove the conditional items as groups are added/removed.

The other approach was utilizing the same group claim described above, but for the source attribute used "Cloud-only group display names (preview)".

All comments

acurrent

does individual account authentication work?

SteveK

Yes. I was able to add a user on the to both the Azure "Users/Groups" and add the SAML user via account name to Orion and received a successful test

SteveK

Looks like I figured out the issue.

Inside the SAML claim piece, I ended up deleting my original "OrionGroups" option.

I then selected "Add a group claim" instead of "Add new claim"

Which groups associated with the user should be returned in the caim: Groups assigned to the application

Source Attribute: Group ID

Advanced Options

Customize the name of the group claim: Enable/Check

Name (required): OrionGroups

When creating the SAML Group on the Orion side, the group name needs to be the group idea.

------
Additionally, I tested out 2 other approaches and both appear to work. The end result is you can supply the Azure Group name to SolarWinds instead of the Object ID.

The other approach was utilizing the same group claim described above, but for the source attribute used "Cloud-only group display names (preview)".