Search
Clear search
Close search
Google apps
Main menu

How to provide groups in SAML assertion

Summary: You want to provide groups in addition to the username in the SAML assertion.

Fix: Ensure that the groups are being sent in the "member-of" attribute statement. The GSA will parse this statement automatically and add these groups to the principal.

Here is an example of SAML 1.0 attribute statement:

<...> 
<saml:AttributeStatement>          
    <saml:Attribute Name="member-of">
        <saml:AttributeValue>group1</saml:AttributeValue>
        <saml:AttributeValue>group2</saml:AttributeValue>
        <saml:AttributeValue>group3</saml:AttributeValue>
        <saml:AttributeValue>group4</saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>
<...>

Here is an example of SAML 2.0 attribute statement:

<...>
<saml2:AttributeStatement> 
    <saml2:Attribute FriendlyName="member-of" Name="member-of" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue>group1</saml2:AttributeValue>
        <saml2:AttributeValue>group2</saml2:AttributeValue>
    </saml2:Attribute>
</saml2:AttributeStatement>
<...>

Additional Information: Please see this document for further information on configuring GSA with SAML IdP.

Versions affected: 7.4, 7.6 releases.

Was this article helpful?
How can we improve it?