Issue with Mapping Group Claims Between ADFS and Tyk for SSO Connection

Support
, ,
1

Hello everyone,

I’m facing an issue while configuring SSO connection between my application and Tyk dashboard using ADFS/OIDC.

I’ve configured ADFS to include group claims in the access token using the “Token-Group - Unqualified Names → Group” policy. Additionally, on the Tyk side, I’ve set up the mapping of groups by binding the group names from ADFS to the group names in Tyk.

Despite this configuration, I’m unable to retrieve the group claims in Tyk. Other user information is correctly retrieved, but the group claims seem to be missing or not processed correctly.

I’ve double-checked the configuration on both ends, but I’m unable to pinpoint the source of the problem. Do you have any advice on how to resolve this issue? Are there any additional steps I might have missed in the configuration?

Any help or suggestions would be greatly appreciated.

Thank you in advance for your assistance!

Best regards,

2

Do you have any advice on how to resolve this issue?

For group mapping, you would need to set the custom user group field that is gotten from the payload and set the corresponding user group mapping. For example, you can map the user groups as we call them to your AzureAD/Entra groups in the UserGroupMapping field.

"CustomUserGroupField": "roles",
  "UserGroupMapping": {
    "Technology.IO.Compute": "655f88e10442bd0001dfabf4"
  }

Are there any additional steps I might have missed in the configuration?

Sharing your TIB profile would be a good start. Kindly remove any sensitive info

3

Hi, this y my TIB Profile conf

{
  "ID": "adfs",
  "Name": "",
  "OrgID": "5f7c8a18f5316d*************",
  "ActionType": "GenerateOrLoginUserProfile",
  "MatchedPolicyID": "",
  "Type": "redirect",
  "ProviderName": "SocialProvider",
  "CustomEmailField": "",
  "CustomUserIDField": "",
  "ProviderConfig": {
    "CallbackBaseURL": "https://dashboard-api.****.fr",
    "FailureRedirect": "https://dashboard-api.****.fr/?fail=true",
    "UseProviders": [
      {
        "DiscoverURL": "https://fs.adfs.fr/adfs/.well-known/openid-configuration",
        "Key": "d343435f-59dc-43bb-88b5-**********",
        "Name": "openid-connect",
        "Scopes": [
          "email",
          "profile",
          "openid",
          "groups"
        ],
        "Secret": "hnh***********tt8-Jl4a*********nbJHq",
        "SkipUserInfoRequest": false
      }
    ]
  },
  "IdentityHandlerConfig": {
    "DashboardCredential": "287cbd57987741386************"
  },
  "ProviderConstraints": {
    "Domain": "",
    "Group": ""
  },
  "ReturnURL": "https://dashboard-api.***********.fr/tap",
  "DefaultUserGroupID": "65df3e2cf5316d07ce1a36b7",
  "CustomUserGroupField": "group",
  "UserGroupMapping": {
    "Tyk-Dev-Admin": "65df3df6f5316d07ce1a36b6",
    "Tyk-Dev-Read": "65df3e2cf5316d07ce1a36b7"
  },
  "UserGroupSeparator": ",",
  "SSOOnlyForRegisteredUsers": false
}

In the ADFS Side

I claims like that :
image

Thanks for your help

4

Thanks for sharing the TIB profile. I re-read your initial statement and it appears you may be using an ADFS server. I don’t know much about how to configure an ADFS server or where the token group is but the directory, security or Entra group ID can at least be retrieved from the payload when I add the group claims and test via Azure.

image
image1154×446 20.9 KB

I could only get the group ID and not the name. But at least this should be useful

groups":[]interface {}{"9d5917b4-6525-4806-b176-3eb10f2d249b"}

Despite this configuration, I’m unable to retrieve the group claims in Tyk. Other user information is correctly retrieved, but the group claims seem to be missing or not processed correctly.

I suspect you may not be seeing the groups field from the payload. The payload should be visible from a debug log entry like this

level=debug msg="Creating identity for user: goth.User{

Can you confirm that you can sign in via SSO but it’s only the group mapping giving issues?

Do you have any advice on how to resolve this issue? Are there any additional steps I might have missed in the configuration?

Maybe it is possible to emit the groups as role claims and use that instead? Or simply just use roles instead of groups.

If you have an Azure account then maybe you could test with that.

Sorry, I can’t be much help on the ADFS side.