I'm trying to map a custom SAML attribute used by another app to a group. Essentially we have 3 roles and the idea is to have 3 AD groups that'll be tied with each role.
Per the answer in Okta Group Attributes, I see that it's not directly possible.
What I've tried per the suggestion is to set a custom profile mapping for the application with nested ternary operators to mimic an 3 if statements to set an attribute. However, while the ternary operators work, getting the mapping to work when creating the 'Attribute Statements' portion does not.
How else can I go about this? I'd prefer not to create 3 apps for 3 different roles if possible.
In scenarios like this i'll have Okta send the group(s) the user is a member of through as a custom attribute.
Within the SAML app configuration this option presents itself as Group Name and Group filter. (Application -> General Tab -> App Settings)
I'll create groups that will be representative of a 'role' i want the member user to have in the downsteam app (SP) and then apply a group filter to only include those groups.
App1.Roleabc
App1.Roleefg
App1.Rolehij
Group Filter: App1.*
Group Name: Groups
The group "name" will be the name of the attribute used in the assertion and a saml assertion based on those values would look something along the lines of this:
<saml2p:Response>
...
<saml2:Assertion>"
...
<saml2:Subject>
<saml2:NameID>me#mydomain.tld</saml2:NameID>
...
</saml2:Subject>
...
<saml2:AttributeStatement>
<saml2:Attribute Name="arbitraryAttribut">
<saml2:AttributeValue> meaningfulValue </saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="Groups">
<saml2:AttributeValue> App1.Roleabc </saml2:AttributeValue>
<saml2:AttributeValue> App1.Rolehij </saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Related
We are using the MS Graph API and would like to check the changes of users in a certain group. Currently we get the users via this query:
https://graph.microsoft.com/v1.0/groups/group-id/members
This is how we retrieved the delta of the group:
https://graph.microsoft.com/v1.0/groups/delta?$filter=id eq 'GroupId'&$select=members
Now my question would be if there is a way to relate this delta only to users in this group.
I can see a result when I add or delete a user from the group, but I need a result, even if the name, street or something else getting changed.
I would be very grateful for any feedback.
Kind regards
There are limited supported-resources to query delta , which includes groups, Users etc but not particularly for member and its properties of one such group.
I tried to query for members this way and got unsupported error
https://graph.microsoft.com/v1.0/groups/xxxxxxxx/members/delta?$select=displayName,jobTitle,mobilePhone
But you may retrieve members of all groups whose membership changes, such as when users are added or removed /( updated ) as you knew .
I’ve tried this way with prefer: return=minimal 'header' to return only the object properties that have changed since the last round. and got removed and updated users but their properties that changed are not listed .We may need to copy the user Id that changed and query for that using user-delta
https://graph.microsoft.com/beta/groups/delta?$filter=id+eq+'xxxx-xxxxa-xxxxx52eb'&$select=members+&$select=displayName
(or)
https://graph.microsoft.com/beta/groups/delta?$filter=id+eq+'xxxx2-xxxxxxxxeb'&$expand=members
To filter separately for other properties like jobTitle ,its not valid .
https://graph.microsoft.com/beta/groups/delta?$filter=id+eq+'xxxxxxxxxxxx2-xxx'&$expand=members+&$select=displayName,jobTitle,mobilePhone
You can raise a Support request for the same.
References :
delta-query-groups | Microsoft Docssupported-resources
microsoft-graph-issues
I am new to sailpoint IdentityIQ.
How to find the connectors that filter out read-only entitlements during aggregation and certification please?
Thanks for your help!
During group aggregation, you can use a rule to modify the entiries found, including to make them requestable or not, modify their names, or to exclude them from IdentityIQ. This rule is attached to the group aggregation task.
You can refer to this article in SailPoint Community:
https://community.sailpoint.com/t5/Technical-White-Papers/Group-Aggregation-Data-Flow/ta-p/79070
Basically, in your group aggregation task, there is a dropdown to select/create a rule. You can create a new rule to do the logic you want. IdentityIQ will invoke your rule once per group object found, and if you return null, the group will be ignored. Or you can modify the object (change its name or description for example) and return it.
You can see the parameters IdentityIQ provides in the rule editor interface. Those groups you do return in your rule, becomes "Entitlement" objects in IdentityIQ.
For certification, you can assign a rule to select what you want to certify. In the campaign settings, IdentityIQ only certifies entitlement objects only. When it finds a group that is not an entitlement, that group is called "Additional Entitlement", and there's a checkbox to include or exclude it in the certification.
So if you already took care of groups you don't want in your group aggregation rule, for certification you can simply set it to exclude additional entitlements.
Im using IGraphServiceClient related below code to get list of Azure AD users belongs to a particular group.
IGroupMembersCollectionWithReferencesPage lstOfAdusers = await _graphServiceClient.Groups[GroupName].Members.Request().GetAsync();
But user.MemberOf returns null.
How to query to get list of Azure AD users belongs to a particular group along its with "MemberOf" property using IGraphServiceClient ?
You should use group ID instead of group name to call this method.
IGroupMembersCollectionWithReferencesPage lstOfAdusers = graphServiceClient.Groups["groupID"].Members.Request().GetAsync().Result;
You need to call another method to get the values of user.memberof.
var meberoflist=graphServiceClient.Users["userID"].MemberOf.Request().GetAsync().Result;
In the API-Management's Developer Portal, we have the problem that all Operation (API) calls are listed in a long list, making it difficult for our customers to find out what calls that belong together. What we'd like is the possibility to group calls by something, i.e. the controller name. (In Swagger this can be done by using the tags field in the Swagger specification.)
In the templates section, there's an option Operation list (grouped), which, by the name of it, might be able to solve our problems. But how can I use this template?
I'm currently importing the API list using the OpenAPI specification.
Update 1:
This is what it looks like in a sample operation list for us. There's no search box available.
(grouped) template is used when user selects "Group by tags" option - rightmost button next to search field on APIs/operations list. Here is how it looks on UI:
Is it possible to not show a field in backoffice advanced-search view depending on user group of the current user?
I found the solution finally. Just use the property attribute
principal
in the tag for your advanced-search and specify which group should use which tag. So, you can specify multiple advanced-search context tag for multiple principals.