Please note: We are currently migrating this process to use Azure AD applications via OAuth2/OpenID instead of SAML. Please do not use this guide without contacting support.
The purpose of this article is to enable access and management of permission to SWOOP using your directory groups (eg Azure AD Groups) instead of the inbuilt functionality in SWOOP's admin section.
Note: Currently only Azure SAML is supported. Please contact support with dump of your SAML response (see 'Diagnostics' below) if you can.
This facility allows use roles to be associated with groups. The groups that are involved must be provided in the SAML response.
Activating Role Assignment
- Defining a mapping between the groups and what permissions they will have. The set of permissions available is as follows:
Identifier Permission Administrator
All permissions as well as administrator permissions Benchmarking Access to benchmarking function Sentiment Analysis
Access to Sentiment Analysis Expand Influential People
Access to Expand Influential People
In order to configure the groups we need a mapping of the group identifier return by SAML to the roles they will invoke, for example:
Group* Permissions GlobalSWOOPUsersPermissionExpandInfluentialPeople GlobalSWOOPAdminPermission
Administrator GlobalSWOOPBenchmarkingPermissionBenchmarking, ExpandInfluentialPeople
Note*: The group name may be a system identifier. See SAML platform notes below. - Configure the SAML application to return the groups and if possible provide a dump (see 'Diagnostics').
- Send the group mapping (from 1) and the dump (from 2) at https://support.swoopanalytics.com/hc/en-us/requests/new.
Tips for setting up group in Azure
This section assumes a working knowledge of the Azure Portal. Please contact support if you need us to walk you through it.
Please note: The configuration below has been tested by SWOOP. If you are having issues please ensure that you have followed all the recommendations before contacting support.
The Azure application for SAML needs to be configured as follows:
- The groups claim needs to be enabled in the 'App Registration' section of 'Azure Active Directory'. Selecting "Groups assigned to the application" is required as Azure does not support more than 150 groups using SAML.
- Turn on 'User assignment required' (not selecting this makes it unclear during fault analysis) in the 'Enterprise application' section of 'Azure Active Directory':
- Assign the groups to the application in the 'Enterprise application' section of 'Azure Active Directory'. Please click on the groups and record the 'Object Id' for each group you have added (required for the group to role mapping point 1 in 'Activating Role Assignment' above.
Diagnostics
The following tools can be used to provide a sample of the SAML response back to SWOOP. In all cases, you need to up the tool before executing the SAML request in the browser.
In the cases below there should not be anything security sensitive in the response as SAML is generally not required to send back a token. Please delete any tokens if for some reason they are configured in the SAML response.
Browser | Tool | Tip |
Firefox | https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/ | Click on the icon in the tool bar. Find the request with method 'POST' and copy paste the XML content under 'SAML' |
Chrome | https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace | Open the Chrome debugger (right click 'Inspect Element' works) and click on SAML. Find the request with method 'POST' and copy paste the XML content under 'SAML' |
ALL |
It is possible to diagnose issues without installing the tools below. The SAML response can be decoded as follow:
You can send the XML or value of SAMLReponse to SWOOP support. |
Below is an example SAML response:
<samlp:Response
Destination="https://swoopwp-localhost.swoopanalytics.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"
ID="_1932ae25-d93a-4169-9a2b-5f4de0513713"
InResponseTo="_cc700724c81028348170c221c50bb5653cabbef5d0" IssueInstant="2021-01-12T23:23:17.047Z"
Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/c5870e0f-a946-4008-9f5c-94875cba8b2e/</Issuer>
<samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
<Assertion ID="_aa8d5817-2b6b-48d8-b3af-ac36a0130500" IssueInstant="2021-01-12T23:23:17.032Z"
Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://sts.windows.net/c5870e0f-a946-4008-9f5c-94875cba8b2e/</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_aa8d5817-2b6b-48d8-b3af-ac36a0130500">
<Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>hAyyivXszrnMKXO8/Un78rYn0nr/pe8Lm/SFXfzqde4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>EbGcmtOGielUpC2n1rl4Jt1ZnhCgelKWLgtDroQHDmCY5kASlABrIJG/I6DNSSl50VzpSHD+SR+LysjrdgD0iODq8Jud0/pcE77LeyMVBTbONplHmGEa7Jwtf31xuXOUnCDdROiDur4szNn1mFvg6yl5HAV07l4fyQnKgy32n72SxL1qBCcjEksJodrCGx39xs2T1bVVz+hbR8CHEbw73xJsK435RR/pBpe54UNMIEKp8x3qjWt9qmqAkcBXIsURiPZQhi15pIJhN5/T8aePRBkaf8B64Jw22xOGGPZB0g3EolIhuqZD/7gqUWov4VaNXjK6WLFVcSC2wrmHlYrpjw==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIDBTCCAe2gAwIBAgIQN33ROaIJ6bJBWDCxtmJEbjANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIwMTIyMTIwNTAxN1oXDTI1MTIyMDIwNTAxN1owLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKGiy0/YZHEo9rRn2bI27u189Sq7NKhInFz5hLCSjgUB2rmf5ETNR3RJIDiW1M51LKROsTrjkl45cxK6gcVwLuEgr3L1TgmBtr/Rt/riKyxeXbLQ9LGBwaNVaJrSscxfdFbJa5J+qzUIFBiFoL7kE8ZtbkZJWBTxHEyEcNC52JJ8ydOhgvZYykete8AAVa2TZAbg4ECo9+6nMsaGsSBncRHJlRWVycq8Q4HV4faMEZmZ+iyCZRo2fZufXpn7sJwZ7CEBuw4qycHvUl6y153sUUFqsswnZGGjqpKSq7I7sVI9vjB199RarHaSSbDgL2FxjmASiUY4RqxnTjVa2XVHUwUCAwEAAaMhMB8wHQYDVR0OBBYEFI5mN5ftHloEDVNoIa8sQs7kJAeTMA0GCSqGSIb3DQEBCwUAA4IBAQBnaGnojxNgnV4+TCPZ9br4ox1nRn9tzY8b5pwKTW2McJTe0yEvrHyaItK8KbmeKJOBvASf+QwHkp+F2BAXzRiTl4Z+gNFQULPzsQWpmKlz6fIWhc7ksgpTkMK6AaTbwWYTfmpKnQw/KJm/6rboLDWYyKFpQcStu67RZ+aRvQz68Ev2ga5JsXlcOJ3gP/lE5WC1S0rjfabzdMOGP8qZQhXk4wBOgtFBaisDnbjV5pcIrjRPlhoCxvKgC/290nZ9/DLBH3TbHk8xwHXeBAnAjyAqOZij92uksAv7ZLq4MODcnQshVINXwsYshG1pQqOLwMertNaY5WtrubMRku44Dw7R</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">+wJ/DUfQZ95bboNPQd4ImEQDQ33BwhHXKzOfH92QD1E=</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_cc700724c81028348170c221c50bb5653cabbef5d0"
NotOnOrAfter="2021-01-13T00:23:16.802Z"
Recipient="https://swoopwp-localhost.swoopanalytics.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"/></SubjectConfirmation>
</Subject>
<Conditions NotBefore="2021-01-12T23:18:16.802Z" NotOnOrAfter="2021-01-13T00:23:16.802Z">
<AudienceRestriction>
<Audience>https://swoopwp-localhost.swoopanalytics.com/simplesaml/module.php/saml/sp/metadata.php/default-sp</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
<AttributeValue>c5870e0f-a946-4008-9f5c-94875cba8b2e</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
<AttributeValue>d3572eaa-cc85-48bd-9fe0-86ace5b20d59</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>paul.williamson@swoopanalytics.com</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<AttributeValue>Williamson</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>Paul</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
<AttributeValue>Paul Williamson</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
<AttributeValue>d89ed46f-57e3-4078-a55a-6ee2fa2fe659</AttributeValue>
<AttributeValue>aa1d6891-e460-4456-afba-1ef25868c560</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
<AttributeValue>https://sts.windows.net/c5870e0f-a946-4008-9f5c-94875cba8b2e/</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
<AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2021-01-11T01:54:27.756Z"
SessionIndex="_aa8d5817-2b6b-48d8-b3af-ac36a0130500">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
Comments
0 comments
Please sign in to leave a comment.