Groups gives no access with SSO over SAML

Hi all, I’ve gotten single-sign-on via SAML up and running, and also have the LDAP connection working as it should. I’m able to search for AD groups and assign a group to an organization in the IQ server, but for some reason a user who is member of that group has no access when logging in via SAML.

I’ve checked that the SAML claims are mapped correctly, but cannot get it to work. Assigning users to an organization works as expected however. Are there any common pitfalls I might have overlooked, or is it possible to configure the logging so that the groups coming from SAML are logged?

There are various browser add-ons / plugins available for debugging SAML. Use one of these tools to ensure the SAML response contains the groups you expect. IQ receives the same response you see when using these SAML debugging tools.

Chrome – SAML Chrome Panel
Firefox – SAML Tracer

1 Like