Integrations & Plugins articles:

  See more

Configuring ADFS to automatically add users to groups

Avatar
Josh Anderson
  • Updated
License Type SaaS & On-Premise
Agent Mode N/A
Main Product Category    Administration 
Sub Category SSO Authentication

Contrast can automatically add users to groups when logging in via SSO. This article outlines the steps required to configure ADFS to pass group information to Contrast.

Prerequisites

In order for this to work, you must:

  1. Configure SSO login
  2. Enable the Add users to their Contrast groups upon SSO login option, as detailed here
  3. Create groups in Contrast with identical names to groups from your SSO IDP
  4. Configure your IDP to pass group information when users login to Contrast via SSO

Process

  1. On your ADFS server, open the AD FS Management tool:
  2. In the left pane, select Relying Party Trusts
  3. Select the entry created to allow SSO to your Contrast instance
  4. Press Edit Claim Issuance Policy... in the right pane

    Screenshot of the AD FS Management console, highlighting steps necessary to edit the claim issuance policy

We'll now need to create 3 custom rules in the following order:

Order Rule Name Custom Rule Description
1 Store DN 
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDN"), query = ";distinguishedName;{0}", param = c.Value);
 Stores the user DN for use in subsequent rules.
2 Get Groups 
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 && c2:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDN"]
 => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = "(member:1.2.840.113556.1.4.1941:={1});samaccountname;{0}", param = c1.Value, param = c2.Value);
 Retrieves groups the user is a member of.
3 Contrast Groups 
c:[Type == "http://schemas.xmlsoap.org/claims/Group"]
 => issue(Type = "contrast_groups", Value = c.Value);
 Emits a contrast_group element for each group into the SAML assertion.

For each of these, please follow the steps:

  1. Press Add Rule...
  2. Select Send Claims Using a Custom Rule
  3. Enter the rule name and Custom rule
  4. Press Finish

Once finished, the Claim Issuance Policy should look as follows:

Screenshot of the AD FS Edit Claim Issuance Policy for Contrast panel after adding the custom rules

(Rule 4 in this screenshot is a rule to map the user's email address and optionally first/surname attributes, as described here; it may appear above or below the 3 rules required to add users to groups)

Exposing only some groups

Rule 3 defined above will cause a group element to be emitted for every group the user is a member of. If you would rather restrict the groups that are emitted, you can do so. For example, the following custom rule would emit only groups with a name beginning with "Contrast":

c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "(?i)Contrast"]
 => issue(Type = "contrast_groups", Value = c.Value);
Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles