cancel
Showing results for 
Search instead for 
Did you mean: 

AD groups with Single Sign On

creativeguitar
Level 2

I have configured SSO with ping and was able to configure the SAML User successfully with the following format <username>@<doman>

the problem now is that I am trying to configure the SAML groups with the same format and I am able to add them to the webui under SAML Groups <group name>@<domain> but users inside the group fail to authenticate

 

I configured SSO as followed

Identity provider name: [veritas_configuration]
Identity provider type: [SAML2]
Identity provider user: [userPrincipalName]
Identity provider user groups: [memberOf]
Enabled: [true]

 

and I am getting userPrincipalName and memberOf in the SAML response in the same format <username/group>@<domain>

1 ACCEPTED SOLUTION

Accepted Solutions

X2
Moderator
Moderator
   VIP   

Once SSO was setup, I used the WebUI, I had added a SAML group as <group_name>@<full_domain_name> and it worked. The only issue I noticed is that if I use a browser session where I was using SSO with a normal username, it would give me an error. This is because my access to the WebUI/Java console is only via my "admin" account. So make sure the users are using the correct account.

Also, are you able to test SSO using SAML group just for yourself? If that works, there is something on the user's side.

 

View solution in original post

2 REPLIES 2

X2
Moderator
Moderator
   VIP   

Once SSO was setup, I used the WebUI, I had added a SAML group as <group_name>@<full_domain_name> and it worked. The only issue I noticed is that if I use a browser session where I was using SSO with a normal username, it would give me an error. This is because my access to the WebUI/Java console is only via my "admin" account. So make sure the users are using the correct account.

Also, are you able to test SSO using SAML group just for yourself? If that works, there is something on the user's side.

 

you are correct! The main issue that I was having is that the SP provider was passing me the value "username" in the metadata file. Once they concatenated "@domain" to the username, then it started working.