/build/static/layout/Breadcrumb_cap_w.png

SAML with Azure article 316188 - Need all attributes

I have SAML setup according to Quest article 316188:

https://support.quest.com/kb/316188/how-to-use-saml-authentication-on-the-kace-sma-with-azure-as-the-idp

I have 2 issues:

  1. I cannot seem to find a list of all the SAML Claims that map to user properties other than those in the article.  For example, I want to populate Manager, Location and Work Phone from from Azure, but I can't find a list of claims to match the attributes.
  2. I am able to login with my Azure credentials, but when I do, my account is immediately converted back to default access of User Console.  I am assuming it is because on the SAML config I do not have any of the roles mapped.  I am also assuming I could make Administrator setup to be "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name = me@mydomain.com" but that would only give me Administrator access.  How do I assign Azure groups to the roles?



0 Comments   [ + ] Show comments

Answers (2)

Posted by: Logan5 2 years ago
White Belt
0

I do not know the answer to part 1, but do want to know.


I think that I can help you out a bit on part 2.


A.) In Kace SAML Settings, make sure that Role Mapping is set to:

Administrator:

http://schemas.microsoft.com/ws/2008/06/identity/claims/groups     Equals    Azure AD Group Object ID   ex: f8aec919-b213-4bfe-8c07-423243f75887 (A group that you are a member of , like "IT Admins" or something.)


B.) In your Azure AD App registration:

"Token configuration" section

Add group claim

groups (this part gets fuzzy for me and I cannot recreate it without breaking mine)


I think that the Cloud Mobile Device Manager go into a piece needed for Kace SMA.

==========

Step 4: Configure identity provider to send group information

If you want to be able to automatically assign a KACE Cloud role to an Azure AD user that logs in using Single sign-on based on the user's group membership in Azure AD, you must configure the Azure AD enterprise application for KACE Cloud MDM to send information for values such as security group and distribution list membership.

To configure group information in Azure AD, you need modify the user attributes and claims of the enterprise application:

  1. Locate and open the KACE Cloud MDM enterprise application in Azure AD that you created in the previous steps, select Single Sign On configuration, and then in the User Attributes & Claims section of the page, click Edit to display details and settings.
  2. Click Add a group claim.

    sso-add-group-claim.png

  3. Select the groups that you want to include in the token.

    sso-group-claim-selection.png

    note.png

    IMPORTANT: In a previous step, if you limited which Azure AD users/groups are allowed to login to KACE Cloud MDM by setting the Assignment required to Yes, select the Groups assigned to the application option, to limit the amount of data included in the user's login token. This helps large organizations to avoid Azure AD truncating the group data from the login token by limiting the reported groups to only those that are assigned to this enterprise application.

  4. Click Save

==========

If this does not help, please open a ticket with Quest.  They helped me out.  Reference tech "Hector Jimenez" and Service Request # 5104305.  Hector was great and able to help me right out.


* I'd love to know the answer to questions 1 if/when you find it.  


Reference:

https://support.quest.com/kb/316188/how-to-use-saml-authentication-on-the-kace-sma-with-azure-as-the-idp

https://docs.kacecloud.com/Getting%20Started/u_SAML-AD.htm





Comments:
  • Thanks Logan,
    I was able to get the group assignment worked out for the user access. I was also able to get a couple of more attributes/claims definitions. So far I have:

    http://schemas.microsoft.com/identity/claims/objectidentifier (UID)
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name (Login and Primary Email)
    http://schemas.microsoft.com/identity/claims/displayname (Name)
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname (Using a Custom 1)
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname (Using a Custom 1)

    I did call into Quest and asked if they have the SAML Claim info for the other attributes (Domain, Manager, Location, Work Phone, Home Phone, Mobile Phone) but the tech that called back said they did not know.

    I really do not understand why they would have all these options listed for input, but have zero information on how to get these attributes working. - JordanNolan 2 years ago
Posted by: JordanNolan 2 years ago
10th Degree Black Belt
0

After a lot of digging I was able to find this article on how to setup SAML as an Enterprise App:

https://support.quest.com/kb/334484/configuring-saml-authentication-with-azure-as-idp-enterprise-application

It is no more difficult than setting up SAML using App Registration so I am not even sure why they are bothering with KB316188.  Really, why would anyone want to use App Registration and be limited to only a few attributes when you can use Enterprise registration and have access to nearly all the attributes you need. 

Also, a bit annoyed with Quest because they did not guide me to Enterprise registration when I called in to support asking how I get the extra attributes.


Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ