SMA with Azure SAML using SAML Groups
We are trying to setup Group mapping based on SAML 2.0 Authentication from Azure AD. I cannot see any documentation on this. This is a new feature recently added in 10.2.
I need to know what value the SMA is concerned about in the user and groups fields when using Azure SAML 2 (see attachment 1)
The Enterprise Application in Azure AD, has enabled groups claims. Therefore, a user groups memberships are included in the SAML Payload sent to the SMA Appliance.
I would like to know what value the SAML Group Field is expecting within the LOCAL Group Config. (see attachment 2 and 3
) we have tried sending group claims with the ID of the azure security group but it does not work. Thus the user does not get mapped to a local group and no bookmarks appear.
Comments
Please work with tech-support to submit a JIRA ticket for improving the documentation.
In SAML domain, there is a “Group Name” field, it will be used for assign group after login.
On Users > Groups, edit group for SAML domain, there is a “SAML groups” tab, you could set the value of the attribute, which is set in domain settings.
After login on IDP, some assert information will be returned in response, which will include the attribute, you set in domain settings for group, the value of this attribute will be used to match in all local saml groups.
There definitely needs to be documentation on this. I got it working but it took several days of trial and error.
I'd be happy to work with support to generate screenshots.
hi Lanman1,
Can you share how you got it configured?
For anyone else struggling with this like I was, you have to add an additional claim on the azure ad side for user.groups. Recommend customizing the claim name and then using that value for "Group Name" on the SonicWall SMA side. Below is an example of a config I got working.
You will use the ID of the Azure AD groups (xxxxx-xxxxx-xxxx-xxxx) instead of the group display name when adding them to Local Groups under the "SAML Groups" tab in Sonicwall SMA.