How to include the user groups attributes in a SAML login response assertion

3
votes

I'm using SAML for login into my app, I would like to include the user groups in attributes in the login response assertion. I'm wondering if the login request should specify that the attribute is required, or if this is a configuration that needs to be done on the IDP in general, or in the IDP specifically for my service provider.

I've created Identify Provider in OpenAM and have my own APP Service Provider configured in OpenAM as remote SP as well, I've also created a user in OpenAM and assigned it to a group, however, I'm not seeing the group in the response assertion, even when I tried to map the value in OpenAM manually, the memberOf attribute always returned empty. Any information will be highly appreciated.

Shay

1
samlsaml-2.0openam

1 Answers

2
votes

The best answer I have for you, is that there is no good way to share group membership information in SAML2 assertions OOTB.

I would suggest to implement a custom attribute mapper and implement the retrieval of group membership data there, but you will find that the DataStoreProvider interface does not expose group membership related operations, so you would need to directly use the AMIdentity/AMIdentityRepository API in your plugin.

When it comes to group memberships you have a couple of choices:

  • return the names of the groups
  • return the DN of the groups
  • return the Universal ID of the groups (universal IDs are OpenAM's internal unique IDs that is stored in DN format, but it is not the same as the groups DN in the directory server)

The first option would be my personal recommendation as that fits into OpenAM's abstract user data store concept.