EasySSO can be configured to automatically add and remove a users' groups, based on the groups sent by your SAML IDP: EasySSO SAML JIT User Provisioning

However, by default Azure AD will only send the group ID's in the response, which are normally different from the names of groups in Jira or Confluence.

In order for EasySSO to add groups based on your IDP's response, we will

  • Add a role for each group to the Azure AD manifest for EasySSO
  • Map each of these roles to a group in Azure AD
  • Add a claim for this role to your Azure AD configuration for EasySSO
  • Set this claim as the group attribute in EasySSO

Add roles to the Azure AD Manifest

This is the most difficult step and requires you to edit the JSON manifest for EasySSO in Azure AD.

First, we need to navigate to the App Registrations page and locate the registration for EasySSO. You should be able to search for and locate this page in the azure AD portal.

Navigate to the manifest:

Download a copy of the manifest as a backup, in case your edit causes any issues.

Locate the "appRoles" section of the manifest:

We are going to add an additional appRole for every group we would like to configure. In this example, we are creating the roles: "confluence-users" and "confluence-administrators".

For each role, you will need to generate a unique ID, you can generate these ID's at this page: https://www.uuidgenerator.net/version4

Each role is in the following format, with the name of the group name being inserted in the description, displayName and value fields. Make sure to add a comma between each group.

{
	"allowedMemberTypes": [
		"User"
	],
	"description": "confluence-administrators",
	"displayName": "confluence-administrators",
	"id": "<ID YOU HAVE GENERATED USING THE ABOVE LINK",
	"isEnabled": true,
	"lang": null,
	"origin": "Application",
	"value": "confluence-administrators"
}

So for our example, the final result should look like:

Map each Role to a Group in Azure AD

Navigate back to the Enterprise Applications page for EasySSO and select the "Users and Groups" option:

  • Select "Add user/group"
  • For the "Users" selection, choose the group you are configuring
  • For the Role selection, select the corresponding role, which we have just added to the manifest

Add a claim for these roles to your Azure AD configuration for EasySSO

  • Choose the "Single Sign On" item:

  • Add a new claim for "user.assignedRoles":

Set this claim as the group attribute in EasySSO

Navigate to the "Attributes" tab of the EasySSO SAML Configuration, and ensure that the attribute for groups, is set to the same value as the namespace was set for the roles you have configured in Azure AD:


 That's it!

EasySSO should now be correctly receiving the names of groups correctly from Azure AD.


EasySSO articles

Try for free

EasySSO for Jira, Confluence, Bamboo, Bitbucket and Fisheye/Crucible

Try for free