SAML with Azure article 316188 - Need all attributes
I have SAML setup according to Quest article 316188:
I have 2 issues:
- I cannot seem to find a list of all the SAML Claims that map to user properties other than those in the article. For example, I want to populate Manager, Location and Work Phone from from Azure, but I can't find a list of claims to match the attributes.
- I am able to login with my Azure credentials, but when I do, my account is immediately converted back to default access of User Console. I am assuming it is because on the SAML config I do not have any of the roles mapped. I am also assuming I could make Administrator setup to be "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name = me@mydomain.com" but that would only give me Administrator access. How do I assign Azure groups to the roles?
Answers (2)
I do not know the answer to part 1, but do want to know.
I think that I can help you out a bit on part 2.
A.) In Kace SAML Settings, make sure that Role Mapping is set to:
Administrator:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups Equals Azure AD Group Object ID ex: f8aec919-b213-4bfe-8c07-423243f75887 (A group that you are a member of , like "IT Admins" or something.)
B.) In your Azure AD App registration:
"Token configuration" section
Add group claim
groups (this part gets fuzzy for me and I cannot recreate it without breaking mine)
I think that the Cloud Mobile Device Manager go into a piece needed for Kace SMA.
==========
Step 4: Configure identity provider to send group information
If you want to be able to automatically assign a KACE Cloud role to an Azure AD user that logs in using Single sign-on based on the user's group membership in Azure AD, you must configure the Azure AD enterprise application for KACE Cloud MDM to send information for values such as security group and distribution list membership.
To configure group information in Azure AD, you need modify the user attributes and claims of the enterprise application:
- Locate and open the KACE Cloud MDM enterprise application in Azure AD that you created in the previous steps, select Single Sign On configuration, and then in the User Attributes & Claims section of the page, click Edit to display details and settings.
- Click Add a group claim.
- Select the groups that you want to include in the token.
IMPORTANT: In a previous step, if you limited which Azure AD users/groups are allowed to login to KACE Cloud MDM by setting the Assignment required to Yes, select the Groups assigned to the application option, to limit the amount of data included in the user's login token. This helps large organizations to avoid Azure AD truncating the group data from the login token by limiting the reported groups to only those that are assigned to this enterprise application.
- Click Save
==========
If this does not help, please open a ticket with Quest. They helped me out. Reference tech "Hector Jimenez" and Service Request # 5104305. Hector was great and able to help me right out.
* I'd love to know the answer to questions 1 if/when you find it.
Reference:
https://docs.kacecloud.com/Getting%20Started/u_SAML-AD.htm
Comments:
-
Thanks Logan,
I was able to get the group assignment worked out for the user access. I was also able to get a couple of more attributes/claims definitions. So far I have:
http://schemas.microsoft.com/identity/claims/objectidentifier (UID)
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name (Login and Primary Email)
http://schemas.microsoft.com/identity/claims/displayname (Name)
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname (Using a Custom 1)
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname (Using a Custom 1)
I did call into Quest and asked if they have the SAML Claim info for the other attributes (Domain, Manager, Location, Work Phone, Home Phone, Mobile Phone) but the tech that called back said they did not know.
I really do not understand why they would have all these options listed for input, but have zero information on how to get these attributes working. - JordanNolan 2 years ago
After a lot of digging I was able to find this article on how to setup SAML as an Enterprise App:
It is no more difficult than setting up SAML using App Registration so I am not even sure why they are bothering with KB316188. Really, why would anyone want to use App Registration and be limited to only a few attributes when you can use Enterprise registration and have access to nearly all the attributes you need.
Also, a bit annoyed with Quest because they did not guide me to Enterprise registration when I called in to support asking how I get the extra attributes.