Cannot get SAML group membership to work

sshami · December 14, 2020, 6:24am

I am trying to get the group membership feature in Cloudflare Teams Access policies for Self Hosted applications.

I have successfully setup a SAML auth account using JumpCloud. When tested, I get the following results:

  "email": "[email protected]",
  "name": "My Name",
  "givenName": "",
  "surName": "",
  "custom": {
    "email": "[email protected]"
  },
  "headers": {
    "memberOf": "[\"Team 1\",\"team_2\"]"
  }
}```

To create an access policy, I choose *SAML Groups* as the *Include* rule. From there I put `memberOf` as the *Attribute name* and `team_2` as the *Attribute value*. This does not make the app appear in the App Launcher. I have tried combinations for *Attribute name* of `headers.memberOf` and various combinations of *Attribute value*. No matter what I put it, the app does not appear.

As soon as I put the email ending in `@domain.com` the app will appear.

What am I doing wrong?

cscharff · January 6, 2021, 9:09am

The app launcher doesn’t do real-time evaluation of policies to determine what to display to a user. Does the Access policy work with group membership?

tarvi · January 7, 2021, 4:07am

memberOf must be in custom not in headers. I was able to get it working with OneLogin SAML. Test result is something like this:

{
  "email": "[email protected]",
  "name": "My Name",
  "givenName": "",
  "surName": "",
  "custom": {
    "roles": [
      "foo",
      "bar"
    ]
  },
  "headers": {}
}

And then I can use roles as Attribute name and foo for value if I want to allow users with foo role.

sshami · January 7, 2021, 4:07am

Thanks for the info @tarvi.
I added memberOf into the SAML attributes in the SAML application config in CloudFlare.
When I did that, the test result was:

{
 "email": "[email protected]",
  "name": "My Name",
  "givenName": "",
  "surName": "",
  "custom": {
    "email": "[email protected]",
    "memberOf": "[\"Team 1\",\"team_2\"]"
  },
  "headers": {
    "memberOf": "[\"Team 1\",\"team_2\"]"
  }
}

That was sufficient for the SAML Group feature to function as you noted.

system · January 8, 2021, 4:07am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.