SAML Groups for MFA

Question

We are enabling MFA using SAML , we configuring idp as 'Pingidentity' our entreprise MFA tool,

Previously we had user role based access based on windows AD group. As we are moving now to SAML, we plan to pass the 'Oriongroups' information. but we are not sure, how we can pass the same AD group name, as part of response .

Any pointer or help is much appreciated.

sum_giais · Answer

Every IdP is different but every one I’ve integrated with, I just tell the teams managing them to send the OrionGroups claim with the users memberOf AD attribute. That way every SAML response has the users AD memberOf attribute (the groups they’re a member of). Specifically I only ask that the CN of the groups be sent, not the DN or the DOMAIN\format either... just my preference though.

Also interesting but in the advanced global config you can actually change that claims name SolarWinds expects in the SAML response (OrionGroups) to anything you like.

To clarify though... the OrionGroups claim basically is a property that the IdP is sending to SolarWinds so SolarWinds knows what groups this user attempting SAML auth is a part of. Commonly are tied to real AD groups but don’t need to be.

There’s also another nugget some folks overlook... use the test feature when configuring the SAML settings in SolarWinds... it allows you to see the request / response and errors as well (though not as verbose as the flat file log @christopher.t.jones123 mentioned but useful in realtime.

dhinagar_j · Answer

Thanks Chris, for the pointers, let me try the SAML log to see for what i have currently

christopher.t.jones123 · Answer

@dhinagar_j, if your identity provider is already synced with your AD you should be able to use the existing groups just added in SolarWinds as a SAML group instead of an AD group. The format for the group can be a little tricky, the UPN format has the most success groupname@domain.ddd, but I have seen in the past where the provider is actually passing them DOMAIN\groupname, whatever is defined in Solarwinds for access must match exactly. When you are testing access this log will save your life C:\ProgramData\SolarWinds\Logs\Orion\SAML.log, it is pretty verbose in its output so you'll see pretty useful error messages as to why there might be a problem, for me it was a great help because it will also display the groups that the user is a part of when testing access (super helpful when trying to determine whether or not you have the group name syntax correct for access).