Group synchronisation through a SAML2 attribute

Synchronise user groups with the memberOf attribute through SAML2

Identity managers like ADFS or Keycloak unfortunately do not offer the possibility to synchronise user groups through the SCIM interface. As a workaround, we therefore offer to adopt the groups as an additional attribute during SAML2 authorisation. This attribute is called memberOf.

Check whether your identity provider supports a SCIM v2 interface. If so, then synchronize the groups using SCIM instead of SAML2 memberOf.

Depending on the provider, you can make the following settings in Flexopus:

You can make the following settings depending on the provider:

Setting Type Example Identity Provider
AD FS ["CN=Group1,CN=...,DC=...,OU=Flexopus,OU=Org", "CN=Group2,CN=...,DC=...,OU=Flexopus,OU=Org"]

It´s also called as LDAP Array. The first CN will be the name of the Group.
Array ["Group1", "Group2"] KeyCloak
Comma Separated Group1,Group2

Important that the name of the group is not including a comma character.
'memberOf' => [

With SAML2, the groups are only sent to Flexopus during the login process, so the user must log in to exchange the groups. We recommend a lower setting for the session time (for example 8 hours). You can configure this in the privacy settings of Flexopus, with this setting the users must log in at least once a day (SSO with one click).

Since the users probably have a valid session with the identity provider, this login will be simplified to one click, but this way you can ensure that the groups can be synchronized daily.