MS Azure SAML Role Mapping

Hi All

I’m trying to integrate Ignition with MS Azure’s SAML interface and generally have it working but I cannot get the roles to map over. The SAML tokens come back with the group info formatted like so:

<samlp:Response...
    <Assertion ...
        <AttributeStatement>
            ...
            <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
                <AttributeValue>2c812e15-57ad-4463-bcbf-d8f3edcce491</AttributeValue>
            </Attribute>

I came up with the following expression for the role mapping expression:

{mult-attribute-source:authnResponse:/saml2p:Response/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"]/saml2:AttributeValue/text()}

But it doesn’t work, I get the following error:

Invalid reference ‘mult-attribute-source:authnResponse:/saml2p:Response/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name=“http://schemas.microsoft.com/ws/2008/06/identity/claims/groups”]/saml2:AttributeValue/text()’ in expression tag ‘null’

I may be missing something obvious, but I can’t figure out what the issue is. Does something jump out at anyone else?

Looks like a simple typo:

Change {mult-attribute-source: to {multi-attribute-source: (the i at the end of multi)

Thanks! This worked, note that the documentation has it without the “i”:

https://docs.inductiveautomation.com/display/DOC81/User+Attribute+Mapping

1 Like

Glad you got it working. I suspected that the typo might be in the docs, and a simple copy-paste error was at play. I notified someone who manages those pages and they will be fixing the typo soon.

I apologize for taking over a thread, but how does all of those 2 i.e saml2p work with this response. Why is it not samlp:response for the first level to the path? I can not get mine to work and I have the same format as the original poster. The samples online had saml2p as the reponse in the sample file.

Thansk.

After a call with Tech support for some reason it is not SAML as the files shows, you have to use SAML2 and SAML2P for all of your calls. This is really confusing and needs to be documented. I wish this was better documented.