Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

SMA with Azure SAML using SAML Groups

DannyMedivetDannyMedivet Newbie ✭
in SSL VPN

We are trying to setup Group mapping based on SAML 2.0 Authentication from Azure AD. I cannot see any documentation on this. This is a new feature recently added in 10.2.

I need to know what value the SMA is concerned about in the user and groups fields when using Azure SAML 2 (see attachment 1)



The Enterprise Application in Azure AD, has enabled groups claims. Therefore, a user groups memberships are included in the SAML Payload sent to the SMA Appliance.

I would like to know what value the SAML Group Field is expecting within the LOCAL Group Config. (see attachment 2 and 3

) we have tried sending group claims with the ID of the azure security group but it does not work. Thus the user does not get mapped to a local group and no bookmarks appear.


attachment 1.jpg
attachment 2.jpg


attachment 3.png


Category: SSL VPN
Reply

Comments

  • AgasthiamaniSAgasthiamaniS Moderator

    Please work with tech-support to submit a JIRA ticket for improving the documentation.

    In SAML domain, there is a “Group Name” field, it will be used for assign group after login.

    Graphical user interface, application Description automatically generated


    On Users > Groups, edit group for SAML domain, there is a “SAML groups” tab, you could set the value of the attribute, which is set in domain settings.

    A picture containing table Description automatically generated


    After login on IDP, some assert information will be returned in response, which will include the attribute, you set in domain settings for group, the value of this attribute will be used to match in all local saml groups. 

  • Lanman1Lanman1 Newbie ✭
    edited January 2021

    There definitely needs to be documentation on this. I got it working but it took several days of trial and error.


    I'd be happy to work with support to generate screenshots.

  • tvdvaerdtvdvaerd Newbie ✭

    hi Lanman1,

    Can you share how you got it configured?

  • DrStardisDrStardis Newbie ✭
    edited December 2021

    For anyone else struggling with this like I was, you have to add an additional claim on the azure ad side for user.groups. Recommend customizing the claim name and then using that value for "Group Name" on the SonicWall SMA side. Below is an example of a config I got working.

    You will use the ID of the Azure AD groups (xxxxx-xxxxx-xxxx-xxxx) instead of the group display name when adding them to Local Groups under the "SAML Groups" tab in Sonicwall SMA.

    azuread.png
    sma.png


Sign In or Register to comment.