This procedure describe how to identify groups a user is member of, based on SAML2 authentication response


To identify groups, we need to intercept SAML request.

We'll use browser SAML2-tracer plugin


1. Download plugin, depending of the browser you use:
    Google Chrome

        https://chrome.google.com/webstore/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch

    Mozilla Firefox

        https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/

2. Connect on IN2IT login page

3. Open plugin page

4. Log-in on IN2IT application using SAML2 provider

5. On plugin page, click on orange "SAML" button

6. Go on "Summary" tab

7. On "SAML 2.0 AttributeStatement" you can find groups, user is member of

Group names could be different based on SAML2 application of your provider

8. User can log in IN2IT application, if

- User is autorised by SAML2 provider application. 

- At least one group the user is member of, is binded on IN2IT SAML2 configuration


If user is in multiple profile groups he will combine it together in user interface

If user have multiple Roles, it will combine to most permissive.

On IN2IT, group "woody_saml2_any" is a special group, accepting any group in SAML2 response.



OneLogin example

groups are named "groups"

here groups are : 

 - "Social admin"

 - "Social journalists"


On IN2IT SAML2 configuration

Groups are correctly binded




Okta example

groups are named "groups"

here groups is: 

 - "Woody-Support"


On IN2IT SAML2 configuration

Group is correctly binded




AzureAD example

groups are named "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"

here group is : 

 - "3901e173-6cc7-4bff-8d61-15c1ee110c24"


On IN2IT SAML2 configuration

Group is correctly binded with access to profile group "All access" and Role "administrators"