SAP Knowledge Base Article - Public

3160226 - Group management in SAML for Azure AD

Symptom

We have not been able to set up the assignment of multiple groups via the Group Claims. Only one of the groups is ever handed over.


Resolution

In Azure AD only one value can be set for one attribute. Assigning more groups is not intended by Azure AD:

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization#emitting-claims-based-on-conditions

"The order in which you add the conditions are important. Azure AD evaluates the conditions from top to bottom to decide which value to emit in the claim. The last value which matches the expression will be emitted in the claim."


If you use Azure AD as Idp, you have the following options:

  1. Group organisation can remain completely in the Signavio Process Manager.

  2. Adjust the management of the groups in Signavio in such a way that the groups are so finely defined in Signavio that each user only belongs to one group that is transferred via SAML.

The second option causes extra work at the beginning, but is probably best to manage groups in the long term (depending on the user concept).


Keywords

KBA , BPI-SIG-CA-SEC-SAM , SAML 2.0 for SAP Signavio , How To

Product

SAP Signavio Process Manager all versions ; Signavio Process Manager all versions