memberOf SAML2 attribute
Synchronize groups via SAML2
Flexopus implemented the standard SAML2 Single Sign On protocol, which suppose to work with any identity providers that follows the SAML2 standard. Often it's not only required to set up a Single Sign On configuration for the login, but it's also necessary to exchange group memberships. This way, the user can access the right Flexopus resources after the first log on from day one.
Some identity providers provide an API to synchronize groups real time. Such integrations are in place at Google via the Google Management API and at Microsoft via the SCIM API.
Other identity providers like Microsoft AD FS or KeyCloak unfortunately do not offer the possibility to synchronize user groups through the SCIM API. As a workaround, we offer to exchange user groups as an additional attribute via the SAML2 authorization process. This attribute is called memberOf
.
memberOf
.Instruction Manual
We assume that you already configured successfully the SAML2 integration between your identity provider and Fleoxpus, if not, please visit do it:
STEP 1 - Configure Flexopus
Navigate in Flexopus as an administrator to Dashboard > Settings > Authentication
. Click on the preconfigured SAML2 provider and go to the setting called synchronize groups
. This setting is turned off by default. You can select the following options here.
You can see the following options listed:
AD FS OPTION
Known IdPs require this option: Microsoft AD FS
The AD FS option will send the groups in a so called LDAP Array. The first CN will be the name of the group:
["CN=Group1,CN=...,DC=...,OU=Flexopus,OU=Org", "CN=Group2,CN=...,DC=...,OU=Flexopus,OU=Org"]
ARRAY OPTION
Known IdPs require this option: KeyCloak
The ARRAY option will send the groups in a classic array:
["Group1", "Group2"]
COMMA SEPARATE OPTION
This option will send the groups in a comma separated list:
Group1,Group2
STEP 2 - Configure your IdP
You need to configure which attributes shall be synchronized between your identity provider and Flexopus. Connect the according attribute in your identity provider with the memberOf
attribute:
'memberOf' => [
'memberOf'
]
STEP 3 - Reduce session time
With SAML2, the groups are only sent to Flexopus during the login process is initiated, so the user must log in to exchange the groups. We recommend a lower setting for the session time (for example, to 24 hours). You can configure this in the privacy settings of Flexopus, with this setting the users must log in at least once a day (SSO with one click). Dashboard > Settings > Data Privacy Settings Session lifetime
Since the users probably have a valid session at your identity provider, this login will be simplified to one click, but this way you can ensure that the groups can be synchronized daily.
Important notes
Limited request size
Note: The memberOf
attribute is part of a request, for logical reasons you can not send an unlimited number of groups through this array. If the limit is reached, no groups will be sent. The limit is depending on the sending and the receiving side. For example, Microsoft limits it: Learn more here. You should not send more than 100 groups via this attribute.
Identifying groups
Groups are identified based on names. Group names are always unique. In case Flexopus receives a group with a name that already exist as an internal group
, the group will become an external group
. In case we receive a new group, we create that group as an external group
.
Internal vs. external groups
After the login process, the groups received via memberOf
will be handled as external groups
. The groups will be attached to the user, and the other external groups
which are not in the list will be detached. The internal groups
will stay as they are.
Learn more about the groups here:
Trouble Shooting and FAQ
Can I only add one external group to the user and keep others?
External groups are managed via the memberOf
attribute in this configuration. The single source of through is what we receive with this attribute. Make sure you send all external groups that suppose to be associated with the user.
Can I configure the memberOf synchronization with multiple identity providers at the same time?
No. This is not supported. We can support the groups synchronization only for one identity provider.
Can I use SCIM and the memberOf attributes parallel?
No. This is not supported. We can support the groups synchronization only for one identity provider.
R0053