17 Apr 2018 04:18 AM - last edited on 13 Apr 2023 02:02 AM by Karolina_Linda
How to pass multiple user group names inside SAML 2.0 response attribute?
Could not find inside this documentation:
Solved! Go to Solution.
Just configure your idP to return multiple groups for a user in a SAML 2.0 response. Then setup the groups attribute in the configuration screen :
and it should work. More in our help page:
If that does not answer your question, please provide more details.
Thanks Radoslaw, but that did not answer my question, which was probably not well formatted, but I just fiqured out it by testing.
The answer I was looking for:
You can pass multiple group names inside one attribute value (User group attribute) by separating them with comma-sign (,).
For example Group name 1,Group name 2,Group name 3
And of course group names should match exactly (case sensitive, no extra spacing) with Dynatrace User Group names.
And please, add this information to your documentation:
I second that. Please update documentation to explain how it accepts multiple groups.
I’ll follow up with the team and we will improve that. Thanks!
Let me add this info here because I had a rough time configuring the group attribute, and my discovery wasn't documented :
I did create the Dynatrace groups with the exact same name as my Active Directory Groups, and it was still not working (using ADFS for the SSO)
In fact the name of the "user group attribute" in the SAML response was not "gr" nor "group" (as I configured it in ADFS), but it was "http://schemas.xmlsoap.org/claims/group" (yes, the whole url)
So I don't know who is responsible for this behavior, if it's Dynatrace or Microsoft, but at least now it works 🙂
where did you actually specify the url, "http://schemas.xmlsoap.org/claims/group"?