Windows Azure Active Directory Group Claims

Follow

Updated:

Group Claims automatically add the user to a group or remove the user from group memberships when the group claim in the SAML token contains a matching group in NetDocuments. Administrators only need to update group memberships in one place.

To configure Group Claims in Azure:

  1. Select Azure Active Directory > App registrations > NetDocuments.

mceclip0.png

  1. On the NetDocuments page, select View API permissions.

mceclip1.png

  1. Select Add a permission > Azure Active Directory Graph.
    mceclip7.png mceclip0.png
  2. There are two types of permissions: Delegated Permissions and Applications Permissions:
  • In Application Permissions, go to Directory, and select the Directory.Read.All check box.

mceclip3.png

  • In Delegated Permissions, go to User, and select the User.Read check box.

mceclip4.png

  1. Make sure that the Add Permissions button is selected.

mceclip5.png

  1. Select Grant admin consent for Default Directory for the added permissions and confirm your action.

mceclip5.png

The end result should look as follows:

mceclip6.png

 

  1. Select Certificates & secrets to create a Client Secret.
  2. Select New client secret.
    mceclip8.png
  3. In the Description, enter a name (for example, NDGroups), choose the Never option for expiration, and select Add.

mceclip9.png

  1. Hover over the secret value and copy it before you exit because you will not be able to retrieve it later.

mceclip10.png

mceclip11.png

  1. Select Manifest.

mceclip12.png

  1. In the Manifest, find the "groupMembershipClaims" and change value to “SecurityGroup”, then select Save.

mceclip0.png

mceclip14.png

To configure Group Claims in NetDocuments:

  1. Sign into NetDocuments, and in the upper-right corner select your name > Admin.
  2. In the Navigation Pane, select Users & Groups > Configure Advanced Authentication Options.
  3. Go to Step 3.c, and paste the secret value from Step 10 above.

mceclip15.png

  1. To get the Client ID, go back to App registrations (step 1 in Configure Group Claims), double-click NetDocuments, hover over the Application (client) ID and copy it.

mceclip16.png

  1. Create the groups in NetDocuments and in Azure as shown below:
    Select Azure Active Directory, go to the Create section, and select Group.

mceclip17.png

Tip: Add members to the group from your existing users or, as new users are created, assign a new user to the groups.

mceclip18.png

mceclip19.png

Azure passes the Claim as the Object ID instead of the actual Group Name. If you run a SAMLtest and then check the following claim:

<Attribute Name=”http://schemas.microsoft.com/ws/2008/06/identity/claims/groups”> 

the <AttributeValue> will be Object ID of the Group.

mceclip20.png

When the users sign in, the claim will add the user to the corresponding group.

mceclip21.png

Back to Top

Was this article helpful?
1 out of 1 found this helpful
Powered by Zendesk