Contrast can automatically add users to groups when logging in via SSO. This article outlines the steps required to configure ADFS to pass group information to Contrast.
Prerequisites
In order for this to work, you must:
- Configure SSO login
- Enable the Add users to their Contrast groups upon SSO login option, as detailed here
- Create groups in Contrast with identical names to groups from your SSO IDP
- Configure your IDP to pass group information when users login to Contrast via SSO
Process
- On your ADFS server, open the AD FS Management tool:
- In the left pane, select Relying Party Trusts
- Select the entry created to allow SSO to your Contrast instance
- Press Edit Claim Issuance Policy... in the right pane
We'll now need to create 3 custom rules in the following order:
-
Rule Name: Store DN
Custom Rule:c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
Description: Stores the user DN for use in subsequent rules.
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDN"), query = ";distinguishedName;{0}", param = c.Value);
-
Rule Name: Get Groups
Custom Rule:c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
Description: Retrieves groups the user is a member of.
&& c2:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDN"]
=> add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = "(member:1.2.840.113556.1.4.1941:={1});samaccountname;{0}", param = c1.Value, param = c2.Value);
-
Rule Name: Contrast Groups
Custom Rule:c:[Type == "http://schemas.xmlsoap.org/claims/Group"]
Description: Emits a contrast_group element for each group into the SAML assertion.
=> issue(Type = "contrast_groups", Value = c.Value);
For each of these, please follow the steps:
- Press Add Rule...
- Select Send Claims Using a Custom Rule
- Enter the rule name and Custom rule
- Press Finish
Once finished, the Claim Issuance Policy should look as follows:
(Rule 4 in this screenshot is a rule to map the user's email address and optionally first/surname attributes, as described here; it may appear above or below the 3 rules required to add users to groups)
Exposing only some groups
Rule 3 defined above will cause a group element to be emitted for every group the user is a member of. If you would rather restrict the groups that are emitted, you can do so. For example, the following custom rule would emit only groups with a name beginning with "Contrast":
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)Contrast"]
=> issue(Type = "contrast_groups", Value = c.Value);