https://community.dynatrace.com/t5/Cloud-platforms/Dynatrace-SAAS-SSO-with-Microsoft-Azure-using-claims-groups-link/m-p/127386#M1485 <P>According to this part of documentation:</P><P><IMG src="https://community.dynatrace.com/legacyfs/online/23659-1582188659550.png" /></P><P>this will not work. <A rel="noopener noreferrer noopener noreferrer noopener noreferrer noopener noreferrer" href="https://www.dynatrace.com/support/help/how-to-use-dynatrace/user-management-and-sso/manage-users-and-groups-with-saml/saml-azure/" target="_blank">https://www.dynatrace.com/support/help/how-to-use-dynatrace/user-management-and-sso/manage-users-and-groups-with-saml/saml-azure/</A> You're limited to 150 groups.</P><P>Sebastian</P> Thu, 20 Feb 2020 08:51:24 GMT skrystosik 2020-02-20T08:51:24Z https://community.dynatrace.com/t5/Cloud-platforms/Dynatrace-SAAS-SSO-with-Microsoft-Azure-using-claims-groups-link/m-p/127385#M1484 <P>Microsoft Azure returns the group claim in the SAML using an attribute</P> <P data-unlink="true">http://schemas.microsoft.com/claims/groups.link&nbsp;</P> <P>This happens when the number of groups is very high.</P> <P>Can Dynatrace handle this scenario.</P> <P><STRONG>Eg (with groups.link): - Unable to do SSO with Dyantrace SAAS</STRONG></P> <P data-unlink="true">&lt;Attribute Name="http://schemas.microsoft.com/claims/groups.link"&gt;</P> <P>&lt;AttributeValue&gt;</P> <P data-unlink="true">https://graph.windows.net/48d6943f-580e-40b1-a0e1-c07fa3707873/users/ba9b7081-e2a8-4427-9cdc-92afd7099833/getMemberObjects&nbsp;</P> <P>&lt;/AttributeValue&gt;</P> <P>&lt;/Attribute&gt;</P> <P data-unlink="true">I am able to successfully do SSO when the groups are returned as in <STRONG>identity/claims/groups, </STRONG>but not in the above scenario</P> <P><STRONG>Eg (with /claims/groups list) - This works for me</STRONG></P> <P style="margin: 0cm 0cm 0.0001pt; font-size: 15px; font-family: Calibri, sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px; text-decoration: none; background-color: #ffffff;" data-unlink="true">&lt;AttributeName="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups&nbsp;"&gt;<BR />&lt;AttributeValue&gt;a8c55d9b-fdc6-4fe3-9d56-af0f87419f2c&lt;/AttributeValue&gt;<BR />&lt;AttributeValue&gt;4604c7b6-57ca-4aa8-9a0b-235f4c9a3651&lt;/AttributeValue&gt;<BR />&lt;AttributeValue&gt;aa312f9f-c0ab-4e65-9bbb-07503792bdd8&lt;/AttributeValue&gt;</P> <P style="margin: 0cm 0cm 0.0001pt; font-size: 15px; font-family: Calibri, sans-serif; color: #000000; font-style: normal; font-weight: normal; text-align: start; text-indent: 0px; text-decoration: none;">&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 15 Jan 2024 14:40:28 GMT https://community.dynatrace.com/t5/Cloud-platforms/Dynatrace-SAAS-SSO-with-Microsoft-Azure-using-claims-groups-link/m-p/127385#M1484 ashish_jamthe1 2024-01-15T14:40:28Z https://community.dynatrace.com/t5/Cloud-platforms/Dynatrace-SAAS-SSO-with-Microsoft-Azure-using-claims-groups-link/m-p/127386#M1485 <P>According to this part of documentation:</P><P><IMG src="https://community.dynatrace.com/legacyfs/online/23659-1582188659550.png" /></P><P>this will not work. <A rel="noopener noreferrer noopener noreferrer noopener noreferrer noopener noreferrer" href="https://www.dynatrace.com/support/help/how-to-use-dynatrace/user-management-and-sso/manage-users-and-groups-with-saml/saml-azure/" target="_blank">https://www.dynatrace.com/support/help/how-to-use-dynatrace/user-management-and-sso/manage-users-and-groups-with-saml/saml-azure/</A> You're limited to 150 groups.</P><P>Sebastian</P> Thu, 20 Feb 2020 08:51:24 GMT https://community.dynatrace.com/t5/Cloud-platforms/Dynatrace-SAAS-SSO-with-Microsoft-Azure-using-claims-groups-link/m-p/127386#M1485 skrystosik 2020-02-20T08:51:24Z https://community.dynatrace.com/t5/Cloud-platforms/Dynatrace-SAAS-SSO-with-Microsoft-Azure-using-claims-groups-link/m-p/127387#M1486 <P>Thanks <A rel="user" href="https://answers.dynatrace.com/users/15061/view.html" nodeid="15061">@Sebastian K.</A></P><P>From talking to Dynatrace, I think we have following two solution options. I am yet to try either of them, will share progress with the community.</P><OL><LI><STRONG>Configure Azure AD to send only security groups.</STRONG></LI></OL><P> <A href="https://www.dynatrace.com/support/help/how-to-use-dynatrace/user-management-and-sso/manage-users-and-groups-with-saml/saml-azure/#expand-369example-add-group-attribute-to-saml">https://www.dynatrace.com/support/help/how-to-use-dynatrace/user-management-and-sso/manage-users-and-groups-with-saml/saml-azure/#expand-369example-add-group-attribute-to-saml</A></P><P>2. <STRONG>Use application roles rather than groups.</STRONG></P><P>This limits the amount of information that needs to go into the token, is more secure, and separates user assignment from app configuration.<BR /></P><P> <A rel="nofollow noopener noreferrer noopener noreferrer" href="https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims#options-for-applications-to-consume-group-information" target="_blank">https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims#options-for-applications-to-consume-group-information</A></P><P>Change the Security group claim attribute. Something like this:</P><P>Before: <A rel="nofollow noopener noreferrer noopener noreferrer" href="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" target="_blank">http://schemas.microsoft.com/ws/2008/06/identity/claims/groups</A><BR />After: <A rel="nofollow noopener noreferrer noopener noreferrer" href="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" target="_blank">http://schemas.microsoft.com/ws/2008/06/identity/claims/role</A></P> Fri, 21 Feb 2020 00:33:09 GMT https://community.dynatrace.com/t5/Cloud-platforms/Dynatrace-SAAS-SSO-with-Microsoft-Azure-using-claims-groups-link/m-p/127387#M1486 ashish_jamthe1 2020-02-21T00:33:09Z