I’m facing an issue while configuring SSO connection between my application and Tyk dashboard using ADFS/OIDC.
I’ve configured ADFS to include group claims in the access token using the “Token-Group - Unqualified Names → Group” policy. Additionally, on the Tyk side, I’ve set up the mapping of groups by binding the group names from ADFS to the group names in Tyk.
Despite this configuration, I’m unable to retrieve the group claims in Tyk. Other user information is correctly retrieved, but the group claims seem to be missing or not processed correctly.
I’ve double-checked the configuration on both ends, but I’m unable to pinpoint the source of the problem. Do you have any advice on how to resolve this issue? Are there any additional steps I might have missed in the configuration?
Any help or suggestions would be greatly appreciated.
Do you have any advice on how to resolve this issue?
For group mapping, you would need to set the custom user group field that is gotten from the payload and set the corresponding user group mapping. For example, you can map the user groups as we call them to your AzureAD/Entra groups in the UserGroupMapping field.
Thanks for sharing the TIB profile. I re-read your initial statement and it appears you may be using an ADFS server. I don’t know much about how to configure an ADFS server or where the token group is but the directory, security or Entra group ID can at least be retrieved from the payload when I add the group claims and test via Azure.
Despite this configuration, I’m unable to retrieve the group claims in Tyk. Other user information is correctly retrieved, but the group claims seem to be missing or not processed correctly.
I suspect you may not be seeing the groups field from the payload. The payload should be visible from a debug log entry like this
level=debug msg="Creating identity for user: goth.User{
Can you confirm that you can sign in via SSO but it’s only the group mapping giving issues?
Do you have any advice on how to resolve this issue? Are there any additional steps I might have missed in the configuration?
Maybe it is possible to emit the groups as role claims and use that instead? Or simply just use roles instead of groups.
If you have an Azure account then maybe you could test with that.