Account
      Back to home
      1. Support Center
      2. Safous ZTA Admin Guide
      3. Account

      [ZTA] Azure AD Group (IdP) Integration

      For basic SAML integration with Azure AD (Entra ID), please refer to the following article: https://support.safous.com/kb/azure-ad-saml-configuration

      To configure an Azure AD Group (IdP) integration, navigate to Accounts > Groups (IdP) and click "New Group".

      By default, the name of the attribute is groups, so set it to groups. To extract the Group Name and Expected Value, follow these steps:

      1. Open your Azure AD management console: https://portal.azure.com/

      2. Navigate to the Enterprise Applications screen.

      3. Locate the following columns, which map to the fields in Safous:

        • Name (Azure) → Group Name (Safous)
        • Object ID (Azure) → Expected Value (Safous)

      For the integration to work, set the Group Claims in the SAML application in Azure AD

      If group claims are not defined on your Azure AD, you can add the claims.

      Edit your claims:

      Here you add a group claim. In the advanced options, enter a claim name that you will also configure in Safous:

       

      Known issue: 
      Azure does not send group attributes in SAML assertions for users who are members of more than 150 groups. Instead, it provides a Microsoft Graph API link, which the external application (Safous, in this case) must use to retrieve the group information. However, Safous does not currently support this approach. It is recommended to reduce the number of groups included in tokens by configuring group filtering in the Entra ID app settings. 

      Example of a SAML assertion for a user that receives an MS Graph API link instead of group attributes, as retrieved from App Gateway logs:

      {"log":"2025/01/24 09:25:45 I [saml_1] parsed and verified saml response attributes \"http://schemas.microsoft.com/identity/claims/tenantid\" = \"808e8e4e-335e-475c-a857-3d2d1a2xxxxx\", \"http://schemas.microsoft.com/identity/claims/objectidentifier\" = \"c866b851-826a-46f3-b1cd-2cb2b22b5649\", \"http://schemas.microsoft.com/identity/claims/displayname\" = \"user, example/SYSCO(JP)/•Ð‰ª “ÄŽu(NS•”NS1G ‹ZŽt)\", \"http://schemas.microsoft.com/claims/groups.link\" = \"https://graph.windows.net/808e8e4e-335e-475c-a857-3d2d1a2xxxxx/users/c866b851-826a-46f3-b1cd-2cb2b22b5649/getMemberObjects\", \"http://schemas.microsoft.com/identity/claims/identityprovider\" = \"https://sts.windows.net/808e8e4e-335e-475c-a857-3d2d1a2xxxxx/\", \"http://schemas.microsoft.com/claims/authnmethodsreferences\" = [\"http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password\" \"http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509\" \"http://schemas.microsoft.com/claims/multipleauthn\"], \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\" = \"example\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\" = \"user\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\" = \"example.user.ua@mail.company\", \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" = \"example.user.ua@mail.company\"\n","stream":"stderr","time":"2025-01-24T09:25:45.957796094Z"}

      Reference: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims#options-for-applications[…]consume-group-information)