Question on group claim for SSO into AWS

Question

Hi Forum, I have an Enterprise application for SSO into AWS. For the app integration, I need name of the groups that the user is member of. For that I created a "Group Claim" by following https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims However the SAML response I receive is containing the Group ID instead of group name. For example I get "a26049e6-448d-43ea-b3e5-b59c242e07d6" in saml response instead of group name "dbrw". Can you please give me some idea on how can I achieve that. Thanks.

Answer 1

Hello @GJoe · As of now, we just support onPremisesSamAccountName attribute to pass group name in the groups claim. Since we don't have sAmAccountName attribute for Azure AD (Cloud only) group, only object ID can be passed for those groups in the token. This is mentioned in the first 2 bullet points and the note under this section of the document you referred to. You may post an idea regarding this feature at our Feedback Portal, which is monitored by the product team. Kindly share the link to your feedback in this thread as well.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hi @GJoe Could you please confirm if the samAccountName attribute of the group is synced to Azure AD as onPremisesSamAccountName by using Graph Explorer with below GET call:
https://graph.microsoft.com/beta/groups/Object_ID_of_Group

Also make sure the group claims condition is satisfied. E.g. if you have set "groupMembershipClaims": "SecurityGroup", make sure the group type is SecurityGroup. If you want to pass groups other than security groups in the token, make sure you select "All".