Forums, Documentation & Knowledge Base - ComponentSpace

Authorization Claims?


https://www.componentspace.com/forums/Topic10970.aspx

By jwoodie - 6/17/2020

I've been using Saml2 for a while for strictly SP-based Authentication with great success, for an app that handled all issues of authorization within the app itself.  Now I have a client that wants to use Saml-based SSO for their app, where the IdP will be an ADFS backend, and they want to use their AD group membership for authorization, so the app has no knowledge of, or need, for authorization or any built in users.

Does this mean that the assertion should or should not reflect this group membership?  Should the assertion simply fail to return any claims if the authenticating users does not have the necessary group membership, causing the authentication request to fail on the SP side?  Or can/should that group membership in question be sent back as a claim in the assertion, interpreted by the SP and dealt with there?  It seems like both options should be possible, but I don't see any discussion here about the available or preferable options for dealing with authorization specifically.

Thanks for any insight.


Jeff
By ComponentSpace - 6/18/2020

You're welcome.