How to setup Microsoft Azure/Entra to only send SAML assertion with groups included in application and not all user groups
Article ID: 377713
Updated On:
Products
Cloud Secure Web Gateway - Cloud SWG
Issue/Introduction
Cloud SWG integration with Azure for user management and authentication following Cloud SWG documentation.
Microsoft Entra/Azure setup using Azure/Entra AD Connect, so that the hybrid option of Cloud native groups and AD synchronised groups can be used.
With this setup enabled, the SAML IDP server assertion included all groups the user was a member of, rather than the groups included within the Application setup. Is there a way to only send groups which are included in the application, rather then all user groups?
Cloud SWG admin does not want to send all groups to the cloud for security reasons, especially if not used in the Cloud SWG policy.
Environment
Microsoft Entra.
Microsoft Azure.
Cloud SWG.
SAML authentication.
Cause
Best practice.
Resolution
Configure the Groups Attribute in Azure/Entra Portal with the value group which was configured previously in Azure AD.
- Login to Azure AD Portal
- Select Enterprise Applications -> The application that was created for Cloud SWG.
- Go to 'Single sign on' settings -> Attributes & Claims
- Add a group claim
- If a client has a free Azure AD license, the only option is to sync on prem groups. Configure the following options
- If a client has a paid Azure AD subscription, a hybrid option of Cloud native groups and AD synced groups can be used using the following options:
- If a client has a free Azure AD license, the only option is to sync on prem groups. Configure the following options
- Make sure the Cloud SWG SAML settings parse the right group information from the assertion, my adding the following default group attribute name. Note that if the admin changes the default group name/schema on the Entra AD side, the corresponding group name must be entered below.
Feedback
Yes
No
Powered by
