Consuming Group Claim in ForgeRock SP


I have ADFS working with my FR / FRIC setup (using private cloud for dev then push to FRIC). I need to be able to get the group claim from the adfs saml / assertion and map that to roles / groups in FR once the user has been matched. I do not see an interface / method in the sp adapter scripting to get / map roles from assertion content. Has anyone done this? See you can add for outbound but not seeing an inbound group => role mapping.

Need to pass user group attribute in SAML assertions in forgerock SP? - Integrations - ForgeRock Community



You may want to consider mapping the assertion context to an attribute on the Identity and then using Conditions on the Group/Role to dynamically provision the user. That way the user isn’t directly assigned, but rather conditionally. To do so:

  1. Select Identities > Manage > Alpha realm - Groups (or Roles) and select the group (or role) to add a condition to.
  2. Select the Settings tab and click Set up.
  3. Toggle the box and define the query filter to assess the condition (likely an attribute on that user).
  4. Click Save.
1 Like