memberOf SAML2 attribute

Synchronize groups via SAML2

Flexopus implemented the standard SAML2 Single Sign On protocol, which suppose to work with any identity providers that follows the SAML2 standard. Often it's not only required to set up a Single Sign On configuration for the login, but it's also necessary to exchange group memberships. This way, the user can access the right Flexopus resources after the first log on from day one.

Some identity providers provide an API to synchronize groups real time. Such integrations are in place at Google via the Google Management API and at Microsoft via the SCIM API.

Google Groups Sync

Why synchronizing Google Groups? The integration is recommended for customers using Google Workspace internally as Identity Provider (IdP). User groups on the organizational level are often already defined and managed within Google. You can synchronize these groups to Flexopus using the Google Directory API with domain-wide delegation. The synchronized groups

Flexopus Help CenterDaniel Fafula

Azure Active Directory SCIM API

Introduction You can integrate with Microsoft Azure Active Directory (Azure AD) via federated authentication or using SCIM (System for Cross-domain Identity Management), allowing users to log in to Flexopus using their existing Azure AD credentials. Flexopus can be linked to an instance of Microsoft Azure Active Directory (Azure AD) via

Flexopus Help Centerghost user

Other identity providers like Microsoft AD FS or KeyCloak unfortunately do not offer the possibility to synchronize user groups through the SCIM API. As a workaround, we offer to exchange user groups as an additional attribute via the SAML2 authorization process. This attribute is called memberOf.

Instruction Manual

We assume that you already configured successfully the SAML2 integration between your identity provider and Fleoxpus, if not, please visit do it:

SAML2 for a custom provider

Which Identity Providers are supported for SAML2? Flexopus implemented the standard SAML2 Single Sign On protocol, which suppose to work with any Identity Providers that follows the SAML2 standard. Flexopus acts as a Service Provider. Therefore, you can try to connect your Identity Provider, even if we do not provide

Flexopus Help CenterDaniel Fafula

STEP 1 - Configure Flexopus

Navigate in Flexopus as an administrator to Dashboard > Settings > Authentication. Click on the preconfigured SAML2 provider and go to the setting called synchronize groups. This setting is turned off by default. You can select the following options here.

You can see the following options listed:

AD FS OPTION
Known IdPs require this option: Microsoft AD FS
The AD FS option will send the groups in a so called LDAP Array. The first CN will be the name of the group:

["CN=Group1,CN=...,DC=...,OU=Flexopus,OU=Org", "CN=Group2,CN=...,DC=...,OU=Flexopus,OU=Org"]

ARRAY OPTION
Known IdPs require this option: KeyCloak
The ARRAY option will send the groups in a classic array:

["Group1", "Group2"]

COMMA SEPARATE OPTION
This option will send the groups in a comma separated list:

Group1,Group2

STEP 2 - Configure your IdP

You need to configure which attributes shall be synchronized between your identity provider and Flexopus. Connect the according attribute in your identity provider with the memberOf attribute:

'memberOf' => [
    'memberOf'
]

STEP 3 - Reduce session time

With SAML2, the groups are only sent to Flexopus during the login process is initiated, so the user must log in to exchange the groups. We recommend a lower setting for the session time (for example, to 24 hours). You can configure this in the privacy settings of Flexopus, with this setting the users must log in at least once a day (SSO with one click). Dashboard > Settings > Data Privacy Settings Session lifetime

Since the users probably have a valid session at your identity provider, this login will be simplified to one click, but this way you can ensure that the groups can be synchronized daily.

Important notes

Limited request size

Note: The memberOf attribute is part of a request, for logical reasons you can not send an unlimited number of groups through this array. If the limit is reached, no groups will be sent. The limit is depending on the sending and the receiving side. For example, Microsoft limits it: Learn more here. You should not send more than 100 groups via this attribute.

Identifying groups

Groups are identified based on names. Group names are always unique. In case Flexopus receives a group with a name that already exist as an internal group, the group will become an external group. In case we receive a new group, we create that group as an external group.

Internal vs. external groups

After the login process, the groups received via memberOf will be handled as external groups. The groups will be attached to the user, and the other external groups which are not in the list will be detached. The internal groups will stay as they are.

Learn more about the groups here:

User groups

Introduction Here you can see a list of action you can do with user groups to use and manage them as an administrator: How to manage the user groups? * Manage groups manually * Manage groups via the SCIM API * Manage groups via SAML2 (memberOf) * Import users and groups (CSV and XLSX)

Flexopus Help CenterDaniel Fafula

Trouble Shooting and FAQ

R0053