Users successfully single signing onto WSS via SAML are not seeing any group information reported. Any policies applying to these groups will fail to trigger.
Comparison of attribute name in IDP assertion failed to match the attribute name configured on WSS
- SAML authentication enabled on WSS, with ADFS acting as SAML IDP server
- Users accessing WSS were correctly redirected to ADFS IDP server, which sent an assertion back to WSS after validating the users credentials
- SAML Assertion included the user information (Subject Name Identifier) as well as the users groups. The SAML AttributeStatement included the group names within the following attribute name
- This matches the attribute name defined in the WSS SAML configuration below - including case
Two possibilities exist:
1. Add the space character before the http scheme in the WSS SAML configuration so match found
2. Modify the ADFS server to send the SAML Group attribute without the extra character
Always get the HAR file (or SAML tracer) output with SAML issues
Look closely at the AttributeStatement that includes the group information and make sure the attribute name matches that configured character by character
In the above case, there was an extra space character inserted before the attribute name, causing the match to fail.