.svg)
Synchronise user groups with the memberOf attribute through SAML2
Identity managers like ADFS or Keycloak unfortunately do not offer the possibility to synchronise user groups through the SCIM interface. As a workaround, we therefore offer to adopt the groups as an additional attribute during SAML2 authorisation. This attribute is called memberOf.
TIP
Check whether your identity provider supports a SCIM v2 interface. If so, then synchronize the groups using SCIM instead of SAML2 memberOf.
Depending on the provider, you can make the following settings in Flexopus:
You can make the following settings depending on the provider:
| Setting Type | Example | Identity Provider |
| AD FS | ["CN=Group1,CN=...,DC=...,OU=Flexopus,OU=Org", "CN=Group2,CN=...,DC=...,OU=Flexopus,OU=Org"] It´s also called as LDAP Array. The first CN will be the name of the Group. |
ADFS |
| Array | ["Group1", "Group2"] | KeyCloak |
| Comma Separated | Group1,Group2 Important that the name of the group is not including a comma character. |
Custom |
'memberOf' => [
'memberOf'
]
ATTENTION
With SAML2, the groups are only sent to Flexopus during the login process, so the user must log in to exchange the groups. We recommend a lower setting for the session time (for example 8 hours). You can configure this in the privacy settings of Flexopus, with this setting the users must log in at least once a day (SSO with one click).
Since the users probably have a valid session with the identity provider, this login will be simplified to one click, but this way you can ensure that the groups can be synchronized daily.
R0053