Loading

SAML SSO login works good but Roles/Teams Mapping does not work

Date de publication: Mar 2, 2024
Résolution

SYMPTOM

After setting up the SAML SSO between Anypoint Platform and IDP, the login is working, however, logged-in users are not getting mapped to the associated roles or teams.

CAUSE

"Group Attribute" of the Identity Provider Or "Group Name" of the External Idp Groups may not be set properly.

SOLUTION

1. Catch the SAMLResponse (see How to view a SAML Response in the browser on how to get this) when performing the SSO and you will get a decoded XML looking similar to these
Azure Sample 
<AttributeStatement>
    ...
    <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
        <AttributeValue>27c34fe9-bd9b-4344-942a-648b1b418fcc</AttributeValue>
        <AttributeValue>c8215956-67a4-4017-8153-xxxx</AttributeValue>
    </Attribute>
    ...
<AttributeStatement>
OKTA sample 
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            ...
            <saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Everyone</saml2:AttributeValue>
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AnypointSSO</saml2:AttributeValue>
            </saml2:Attribute>
            ...
</saml2:AttributeStatement>

3. Make sure the value of "Group Attribute" set as the same as in "Attribute Name"
Azure Sample
User-added image
OKTA sample
User-added image
4. Make sure "Group name" in "External Idp Groups" set as the same as in "AttributeValue"
※1: Azure passes groupId instead of groupName
※2: double check that no spaces have been appended before or after

User-added image

References

Map Single Sign-On Users to Roles or Teams
How to Extract SAML Assertion XML From HAR File
Anypoint Platform Single Sign-On (SSO) using SAML Troubleshooting Guide
Multiple Group/Role Mapping Doesn't Work in SAML SSO
Numéro d’article de la base de connaissances

001120306

 
Chargement
Salesforce Help | Article