SAML Single Sign-OnSAML Single Sign-On
Try For Free

JIT and Azure AD: Sending Groups via SAML Attributes

Overview

In this article, you learn how to transmit groups from Azure AD during Just In Time Provisioning.

Since Azure AD only supports sending group IDs instead of group names, you also have to create a group transformation for each group.

Please note that there is a limit in Azure AD for only 150 groups to be sent as values in the attribute in the SAML response. If the number of groups the user is in goes over that limit (150 for SAML) then an overage claim will be added to the claim sources. The overage claim will be pointing at the Graph endpoint containing the list of groups for the user, which cannot be processed by the plugin in JIT.


The describes way has one disadvantage, because the attribute groups is a multi-value attribute. The first added value will be checked and the rest maybe not. That could lead to some misunderstanding. Please have a look at the section Alternative – Groovy Script to get another option.


Configure Azure AD for Transmitting Groups via SAML Attributes

With its default settings, Azure AD does not send group IDs for Just In Time Provisioning. To change this, navigate to the Enterprise Application you've created for your Atlassian instance in Azure AD:

Next, click on All Applications and search for the Enterprise Application you have created for the SAML SSO Data Center app and click on its name:

enterprise_app
enterprise_app

Once opened, click on Single sign-on and then the pencil 'Edit' icon beside User Attributes & Claims

add_group_claim
add_group_claim

Click on the '+' icon beside Add a group claim

add_a_group_claim
add_a_group_claim

And change the settings to All groups and save your settings.


all_groups
all_groups


CleanShot 2021-04-27 at 13.19.40@2x.png

Now, Azure AD will send the group IDs of a user when logging in.

These you need to convert into the human-readable name by using group transformation rules for each. This is described in the next chapter as part of the SAML SSO plugin configuration.

Configure the SAML SSO Data Center app for JIT with Azure AD

Scroll down in the SAML Single Sign On Configuration → Identity Providers to access the User Creation and UpdateAttribute Mapping.

Click Map to map the corresponding attribute (Groups).

attribute_mapping_groups
attribute_mapping_groups

Use http://schemas.microsoft.com/ws/2008/06/identity/claims/groups as Source Attribute Name and click Apply to add the new attribute mapping.

source_attribute_name_group
source_attribute_name_group

Depending on your Atlassian Data Center or Server product, it is a good idea to set (default) user group(s) for new users, such as jira-users for Jira or confluence-users for Confluence. Without assigning new users to the product specific group, they are not able to use your Atlassian product. 

Please go to SAML Single Sign On Configuration → Identity Providers to access the User Creation and UpdateGroup Setting.

  1. Add (default) user group(s) for new users

  2. Create groups automatically which do not exist in your Atlassian product by enabling 'Create groups if they do not exist'

group_setting
group_setting

Also, feel free to activate any option which suits your needs. 

Group Transformation

Since Azure AD only transfers group IDs and not group names, group transformations must be created for each group ID.

Scroll up in the configuration to Attribute Mapping and click Edit to create a transformation (Regular Expression) for groups.

transform_edit
transform_edit

Next, to enable ‘Regular Expression’ we need to add a 'Regex and Replacement Option'.

enable_regex
enable_regex

In our example, we will replace the Group object ID ‘83207436-b6ef-4c32-ba88-91d0ff954d4f’ with the group name ‘aaa-test’. If required, you can test your replacement via 'Regex Replacement Tester'.

regex_example
regex_example

After all transformations have been added, the window can be closed 'Close'. You need to click 'Apply' to save your regex and replacement rule.

apply_transformation
apply_transformation

Now it is time to save your whole SAML Single Sign-On configuration, please click 'Save'

save_settings
save_settings

Where can I find the group ID?

To create a transformation for a group ID to a name, you require the group ID.  The ID of a group can be found in Azure AD on the page of the group. Just copy the Object ID.

azure_object_id
azure_object_id

Alternative – Groovy Script

We will add a Custom Groovy Code to the groups attribute (Attribute Mapping). With this approach, all added values will be checked even if one value does not exist in the IdP SAML response.

attribute_groups
attribute_groups
groovy_script
groovy_script

Groovy Script (Example)

Depending on your setup, you need to add your groups you want to transform to the dict variable:

"<group-id>":"group-name"

Example:

"83207436-b6ef-4c32-ba88-91d0ff954d4f":"aaa-test", 

  1. def groups = mapping."http://schemas.microsoft.com/ws/2008/06/identity/claims/groups".asStringList() ?: []
  2. def dict = [
  3.    "83207436-b6ef-4c32-ba88-91d0ff954d4f":"aaa-test",
  4. "<group-id>":"group-name"
  5. ]
  6. groups
  7. .collect(grp -> dict[grp])
  8. .findAll { it != null }


This site uses cookies to deliver its service & to analyse traffic. By browsing this site, you accept the privacy policy.

Our Wiki uses cookies

We want to give you the best possible experience on our website. For this we use technically required cookies and, if you agree, cookies for analysis and marketing purposes. You can find more information about the cookies in our Privacy Policy. By tapping ‘Accept All,’ you consent to the use of these methods by us and third parties.

Necessary
Always Active
Analytics
Advertisement
Other