Add Security Group Claims to SAML token for Custom Azure Active Directory Application

2
votes

I have added a custom application to our active directory per MS guide here

How can I customise the claims provided in the SAML token to provide the security groups of the authenticated user. This article makes no mention of groups https://azure.microsoft.com/en-us/documentation/articles/active-directory-saml-claims-customization/

I know normally for an Azure application in AD I can alter the manifest to get it to return the security groups. However I have no experience with the SAML version. We have a very limited number of groups we care about so even boolean flag of InGroupA would work.

I am using kentor Authservices and that part is working fine but it has no claim for groups. I have attempted to make it require the attribute http://schemas.microsoft.com/ws/2008/06/identity/claims/groups however it still logs me in without token containing this claim.

Any ideas?

1
azuresaml-2.0azure-active-directoryclaims-based-identitykentor-authservices
Can you check this article? dushyantgill.com/blog/2014/12/10/…Zeigeist
Yeah - I had read that. Custom Application added via Gallery doesn't offer ability to allow me to edit manifest so I don't seem to be able to make it return group claims this way. SAML token never contains groupsGraemeMiller

1 Answers

1
votes

This is possible however you need to do it via the REST API

Find the application via it's objectid Update the property groupMembershipClaims to value All

You can also use this PowerShell script.

Using the script here I loaded the needed libraries and then ran the following commands:

Connect-AAD (use the tenant GA credentials)
Execute-AADQuery -Base "applications" -HTTPVerb Get
Execute-AADQuery -Base "applications/<GUID>" -HTTPVerb Patch -Data (New-Object -TypeName PsObject -Property @{"groupMembershipClaims"="All"})