A user may belong to multiple AD groups. This guide describes how to return the list of groups the user belongs to in a SAML attribute.
Under SSO>Service Providers locate the SP you wish to add the attribute to.
Click on the Ellipses and select Edit from the drop-down menu that appears
Click on the Attributes tab and then click on Create
Add the following parameters:
| Field | Value |
|---|---|
| Location: | HTTP Body |
| Name: | This can be any name the SP requires however usually it is 'groups' |
| Format: | attrname-format:unspecified |
| Script: | groups?.name |
Remember to Save the changes
Please Test
Here are the groups that the AD account belongs to..
If you log onto the SAML website you can check to see if all the groups of which the AD account is a member of, are returned in the 'groups' attribute, by looking at the full SAML assertion...
In this example, this is what the SAML test page returns..
