Group Mapping with Azure Saml SSL

Azure SSO can map groups in to Flexdeploy starting in the 7.0 release. This document tries to explain how to set it up.

 

Setting up Azure to send in groups

Open the Enterprise Application in portal.azure.com.

Click the

Attributes and Claims tab.

Choose add a group claim.

Choose which groups to send in the group claim. Some of those options are only going to work if you are syncing on-prem to cloud. Each works a little differently. The Microsoft documentation might be helpful. The image here shows choosing to set up the groups as roles on the enterprise application, and the following screenshots use that approach, but it’s fine to choose any of them. If you choose another, the page SSO Realm Group Mapping would be the one you would want to read.

Creating Enterprise Application Roles

This is only needed if you chose the option “Groups assigned to the application” above. This approach is the most accurate, in that it won’t send in any groups that don’t make sense for FlexDeploy to receive, but it likely will be more work for your AD / infra team to manage than choosing existing groups instead.

Click Users and Groups and then click application registration to add roles.

That will take you to the app roles page, which wasn’t in the menu previously.

Click Create app role to add a new role.

The display name is used in Azure.

Click apply after each.

The Value is sent into FlexDeploy. Write down, copy to notepad, memorize these, or type them into Flexdeploy as you go. See the directions here for that part.

 

When you are done creating the roles, you need to assign users to them. Click Users and Groups (5) to get back there.

Assign users or groups to the new roles.

Setting up group mapping with the FlexDeploy SSO Realm

See SSO Realm Group Mapping for the steps to do there.

The following macros are not currently supported in the footer:
  • style