Group Claims automatically add the user to a group or remove the user from group memberships when the group claim in the SAML token contains a matching group in NetDocuments. Administrators only need to update group memberships in one place.
To configure Group Claims in Azure:
- Select Azure Active Directory > App registrations > NetDocuments.
- On the NetDocuments page, select View API permissions.
- Select Add a permission > Azure Active Directory Graph.
- There are two types of permissions: Delegated Permissions and Applications Permissions:
- In Application Permissions, go to Directory, and select the Directory.Read.All check box.
- In Delegated Permissions, go to User, and select the User.Read check box.
- Make sure that the Add Permissions button is selected.
- Select Grant admin consent for Default Directory for the added permissions and confirm your action.
The end result should look as follows:
- Select Certificates & secrets to create a Client Secret.
- Select New client secret.
- In the Description, enter a name (for example, NDGroups), choose the Never option for expiration, and select Add.
- Hover over the secret value and copy it before you exit because you will not be able to retrieve it later.
- Select Manifest.
- In the Manifest, find the "groupMembershipClaims" and change value to “SecurityGroup”, then select Save.
To configure Group Claims in NetDocuments:
- Sign into NetDocuments, and in the upper-right corner select your name > Admin.
- In the Navigation Pane, select Users & Groups > Configure Advanced Authentication Options.
- Go to Step 3.c, and paste the secret value from Step 10 above.
- To get the Client ID, go back to App registrations (step 1 in Configure Group Claims), double-click NetDocuments, hover over the Application (client) ID and copy it.
- Create the groups in NetDocuments and in Azure as shown below:
Select Azure Active Directory, go to the Create section, and select Group.
Tip: Add members to the group from your existing users or, as new users are created, assign a new user to the groups.
Azure passes the Claim as the Object ID instead of the actual Group Name. If you run a SAMLtest and then check the following claim:
the <AttributeValue> will be Object ID of the Group.
When the users sign in, the claim will add the user to the corresponding group.