MS Azure SAML Role Mapping

adam.todorski · August 24, 2021, 3:43pm

Hi All

I’m trying to integrate Ignition with MS Azure’s SAML interface and generally have it working but I cannot get the roles to map over. The SAML tokens come back with the group info formatted like so:

<samlp:Response...
    <Assertion ...
        <AttributeStatement>
            ...
            <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
                <AttributeValue>2c812e15-57ad-4463-bcbf-d8f3edcce491</AttributeValue>
            </Attribute>

I came up with the following expression for the role mapping expression:

{mult-attribute-source:authnResponse:/saml2p:Response/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"]/saml2:AttributeValue/text()}

But it doesn’t work, I get the following error:

Invalid reference ‘mult-attribute-source:authnResponse:/saml2p:Response/saml2:Assertion/saml2:AttributeStatement/saml2:Attribute[@Name=“http://schemas.microsoft.com/ws/2008/06/identity/claims/groups”]/saml2:AttributeValue/text()’ in expression tag ‘null’

I may be missing something obvious, but I can’t figure out what the issue is. Does something jump out at anyone else?

jspecht · August 24, 2021, 6:24pm

Looks like a simple typo:

Change {mult-attribute-source: to {multi-attribute-source: (the i at the end of multi)

adam.todorski · August 24, 2021, 6:51pm

Thanks! This worked, note that the documentation has it without the “i”:

https://docs.inductiveautomation.com/display/DOC81/User+Attribute+Mapping

jspecht · August 24, 2021, 7:12pm

Glad you got it working. I suspected that the typo might be in the docs, and a simple copy-paste error was at play. I notified someone who manages those pages and they will be fixing the typo soon.

jgooding · October 15, 2021, 12:14am

I apologize for taking over a thread, but how does all of those 2 i.e saml2p work with this response. Why is it not samlp:response for the first level to the path? I can not get mine to work and I have the same format as the original poster. The samples online had saml2p as the reponse in the sample file.

Thansk.

jgooding · October 19, 2021, 10:21pm

After a call with Tech support for some reason it is not SAML as the files shows, you have to use SAML2 and SAML2P for all of your calls. This is really confusing and needs to be documented. I wish this was better documented.

ted.garrison · September 18, 2023, 8:33pm

Agree on this. The format that you have to use in your call doesn't match the format of the actual response doc. And yet some of the online Xpath tools have no problem using the format from the response doc. Confusing as can be. Thankfully I stumbled on this thread.