Solved: Re: SAML include all AD groups

sv45354 · ‎03-28-2024

We are looking at moving to SSO but need to be able to include all the groups a user is a member of. Is it possible to pull this from AD and include it in SAML claims?

Ideally we would want to manage this in a single place (AD) so if we added a new group we wouldn't want to have to update Duo to pass it to an application.

Is this possible?

DuoKristina · ‎04-02-2024

While the other response that mentions directory sync doesn't appear initially relevant for IdP attributes passed to the SAML SP, there is a use case involving sync that I'll elaborate on in a bit.

Easy way I think is to specify `memberof` as a mapped attribute for a generic SAML application. I believe that would put the value of that constructed AD attribute into the SAML response (as a list of group DNs, just like when you view that attribute directly in AD). You could use attribute transformations rules format_ad_groups rule to strip away DNs to just leave the group name(s).

The other use case where Active Directory sync gains relevancy is that if you do sync your AD users and the groups they're in into Duo, you can then use the groups you have synced as role attributes groups. The catch with these is that they have to exist in Duo; you can't select the groups directly from AD if you haven't synced them over first.

Duo, not DUO.

View solution in original post

Pulkit Mittal · ‎03-28-2024

As far as I remember, you can sync up to 400 groups in duo. There is another way of syncing everything or sync custom attributes here.

https://duo.com/docs/dirsync-faq#can-i-import-admins,-users,-and-groups-from-active-directory-lightweight-directory-services?

This FAQ might help answer many of your doubts.

If you elaborate your use case, I might be able to help you better.

If you find this useful, please mark it helpful and accept the solution.

sv45354 · ‎03-29-2024

I currently have directory sync setup but as far as I can see you have to manually select each group you want syncing. I want to use Duo as authentication to all our applications so need all the groups from a certain OU passed through by default, or even all the AD groups a user is a member of. We frequently add new groups in AD and don't want the overhead of having to manage them in Duo as well.

DuoKristina · ‎04-02-2024

While the other response that mentions directory sync doesn't appear initially relevant for IdP attributes passed to the SAML SP, there is a use case involving sync that I'll elaborate on in a bit.

Easy way I think is to specify `memberof` as a mapped attribute for a generic SAML application. I believe that would put the value of that constructed AD attribute into the SAML response (as a list of group DNs, just like when you view that attribute directly in AD). You could use attribute transformations rules format_ad_groups rule to strip away DNs to just leave the group name(s).

The other use case where Active Directory sync gains relevancy is that if you do sync your AD users and the groups they're in into Duo, you can then use the groups you have synced as role attributes groups. The catch with these is that they have to exist in Duo; you can't select the groups directly from AD if you haven't synced them over first.

Duo, not DUO.

sv45354 · ‎04-03-2024

Thanks, this works great using memberof to pull all the AD groups.