ADFS/SAML Groups in App policies

user7656 · November 13, 2023, 7:46pm

I have ADFS configured and working fine with Zero Trust.

In Firewall Policies, I can select

Selector: SAML Attributes
Operator: is
Value: http://schemas.xmlsoap.org/claims/Group
domain\\securityGroup

And it works fine.

But for application policies, I can’t seem to get it to work.
Selector: There is no SAML Attributes, have to use SAML Groups
Value Attribute Name: http://schemas.xmlsoap.org/claims/Group (tried just using Group)
Attribute Value: domain\\securityGroup “tried quotes, single slash, double and quad slash”

and that doesn’t work.

Here is the claim returned by ADFS:

{
“email”: “[email protected]”,
“name”: “LastName, FirstName”,
“givenName”: “FirstName”,
“surName”: “LastName”,
“saml_attributes”: {
“emailaddress”: “”,
“http://schemas.xmlsoap.org/claims/Group”: [
“domain\Domain Users”,
“domain\SecurityGroup1”,
“domain\SecurityGroup2”,
“domain\SecurityGroup3”,
],
“department”: “UsersDepartment”,
“surname”: “”,
“givenname”: “”,
“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname”: “Max”,
“role”: “”
},
“headers”: {}
}

Any ideas?

user7656 · November 14, 2023, 4:00pm

Got it - seems that Cloudflare doesn’t like special characters anywhere here. I used ADFS to rewrite the outbound token as Groups instead of Group as it wouldn’t have an xml schema associated with it.

system · November 17, 2023, 4:00pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.