SSO - ADFS - Group claim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-21-2017 08:01 AM
Dear ServiceNow community,
We're using Multi-Provider SSO and my Identityt Provider is well configured with Auto Provisioning User and Update User Record Upon Each Login set to true. No problem on authentication and user creation / update (even with extra fields).
Now we need to be able to add users to groups in ServiceNow based on AD groups. For my tests, I created groups in AD and set the same name in ServiceNow.
My ADFS engineer created a claim rule tu provide an attribute (http://schemas.xmlsoap.org/claims/Groups) with a value for each group.
The result is that the user is not added to the groups even if they exist in ServiceNow and an extra column is created in my Import Set table 'http_schemas_x_g_claims_group' which contains the first value representing the name of one group.
I would have expected ServiceNow to be able to work on what my engineer calls standard SAML claims.
If not, I would like to see at least all value so I can treat them in a trasnform script.
Has anyone ever dealt with such requirement?
Thanks in advance.
Nicolas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-13-2018 02:06 PM
Did you ever find a solution to this problem? If so, can you provide details on the claim and the group import?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-14-2018 12:56 AM
Hello,
Yes I did acutally. So here's what happened:
The group claim provided by our ADFS expert created a column in our Import Set table named http_schemas_x_g_claims_group. And this claim was in fact a structured XML with one element and X attributes. Each attributes were a group belonging.
The issue was that the User Provioning script only considers the first attribute of each XML element. So we had only one group per user in our Import Set Table.
We had to adapt the User provionning script in order to browse the XML tree and write a comma separated list of group instead of one single group:
if (attrValues && attrValues.size()>0) {
if (name != 'http://schemas.xmlsoap.org/claims/Group'){
value = attrValues.get(0).getDOM().getTextContent();
} else {
for(var k=0; k< attrValues.size(); k++) {
if (value)
value += ',' + attrValues.get(k).getDOM().getTextContent();
else
value = attrValues.get(k).getDOM().getTextContent();
}
}
} If you pay attention to your OOTB User provionning script, you should find easely where this code belongs. Uou'd just have to replace the name of the claim.
The next part is to handle the comma separated list of groups in a Transform Map Script. We did an onAfter one.
We probably could have performed something cleaner. But when this did the job, we didn't push to go forward. Maybe this was changed since then, I don't know. I'm not working on that project anymore. 🙂
Do not hesitate to ask questions if you don't understand.
Regards,
Nicolas
