MS Azure SAML Role Mapping

Hi All

I’m trying to integrate Ignition with MS Azure’s SAML interface and generally have it working but I cannot get the roles to map over. The SAML tokens come back with the group info formatted like so:

<samlp:Response...
    <Assertion ...
        <AttributeStatement>
            ...
            <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
                <AttributeValue>2c812e15-57ad-4463-bcbf-d8f3edcce491</AttributeValue>
            </Attribute>

I came up with the following expression for the role mapping expression:

{mult-attribute-source:authnResponse:/saml2p:Response/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"]/saml2:AttributeValue/text()}

But it doesn’t work, I get the following error:

Invalid reference ‘mult-attribute-source:authnResponse:/saml2p:Response/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name=“http://schemas.microsoft.com/ws/2008/06/identity/claims/groups”]/saml2:AttributeValue/text()’ in expression tag ‘null’

I may be missing something obvious, but I can’t figure out what the issue is. Does something jump out at anyone else?

Looks like a simple typo:

Change {mult-attribute-source: to {multi-attribute-source: (the i at the end of multi)

Thanks! This worked, note that the documentation has it without the “i”:

https://docs.inductiveautomation.com/display/DOC81/User+Attribute+Mapping

1 Like

Glad you got it working. I suspected that the typo might be in the docs, and a simple copy-paste error was at play. I notified someone who manages those pages and they will be fixing the typo soon.