Skip to Content

How to Guide – Easy group/role mapping between SCP and AD-FS

Introduction

There are quite a few blog articles that explain how to use AD-FS as an identity provider for Sap Cloud Platform.

A great example if this is the blog article by my colleague Michael Van Cutsem.

The topic I want to cover here is how you can re-use the groups/roles that are defined in AD-FS to map users to groups inside SCP.

Basic example

The basic case is also covered quite frequently already. If you have for example an SCP group for MANAGERS and one for EMPLOYEES, you can just create a claim rule in AD-FS that returns if a user is EMPLOYEE or MANAGER as a SAML2 attribute.

This has the disadvantage that each time you want to re-work the group structure you need to modify the claim rule inside AD-FS. Since AD-FS is most likely managed by a different team within your organisation, this is most often not a quick change.

Fetch all groups in one attribute

A more generic way to fetch all group/roles that a user is part of from AD-FS in one go. The filtering can then be performed on SCP side.

The claim rule to get this information is:

Assertion-based groups with Regular Expressions

Once this claim rule is configured, you can now implement the required groups and filters on SCP side.

For this go to your SCP sub-account, then go to Trust -> your AD-FS IDP.

Now select the Groups tab and go to assertion based groups to set up the required group mappings using regular expressions.

This technique might make your life in maintaining your SCP groups a bit easier.

Diether De Coninck

SAP Senior Mobile/UX consultant

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Phil Cooley

    Thanks Diether De Coninck appreciate that. The Mapping rules though are cutoff in your screenshot. Are you able to update with the mapping rule values you have there.

    Assuming it would be something like ….2008/06/identity/claims/role ?

    Would also be good to understand if you need to include the Windowsaccountname attribute in the overall set up and also a reference to where the Issuer value would be.

    In the past I’ve actually passed through the group claim http://schemas.xmlsoap.org/claims/Group but not clear on what the settings should be when the user is assigned to 20 groups but we are only interested in one of them. From the documentation it looks like ‘/’ as well as ‘*’ can be used but use of them is not explained anywhere I have seen. Any more info on this would be great as well.

    (0) 
  2. Diether De Coninck
    Post author

    Hi  Phil,

    The attribute name you use inside the claim rule can be freely chosen, but I prefer to reference microsofts list to pick a name. In this case I have chosen http://schemas.microsoft.com/ws/2008/06/identity/claims/role, as you can see in the claim rule configuration, so that is the attribute name that you need to fill in the second of the 4 fields.

    The 4 fields are:

    • SCP Group : example MANAGER
    • SAML2 attribute : as specified in the claim rule : example http://schemas.microsoft.com/ws/2008/06/identity/claims/role
    • equals or regular expression: in the example I use regular expression since the saml2 attribute contains all groups that the user is part of , so I need to do pattern matching.
    • value: the value you search for in the attribute.

    The values to use in the regular expression will take a bit of trial and error indeed. I found that for a simple match , so the attribute string contains the value you search for, putting the value will be enough.

    I suggest you use a chrome plugin like SAML DevTools extension to first see what is actually returned in the attribute by AD-FS and then use that together with a regex tool to find the right regular expression.

    Hope this clarifies things for you.

    Diether

    (0) 

Leave a Reply