cloudstack icon indicating copy to clipboard operation
cloudstack copied to clipboard
verified publisher icon apache

[SAML Groups] Allow linking accounts/domains to SAML groups

Open rhysperry111 opened this issue 3 weeks ago • 1 comments

Most SAML IdPs are able to provide group information for the authenticated user in the form of a SAML attribute (with many values for each group the user is in). It would be useful to be able to use the groups in the same way that LDAP groups can, such as to give a user access to certain accounts.

Here is an example SAML response from AWS Identity Center showing how groups are formatted.

    <saml2:AttributeStatement>
      <saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">ourdomainhere.internal//S-1-5-21-3122984950-2570546592-4150994639-1732</saml2:AttributeValue>
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">ourdomainhere.internal//S-1-5-21-3122984950-2570546592-4150994639-2026</saml2:AttributeValue>
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">ourdomainhere.internal//S-1-5-21-3122984950-2570546592-4150994639-1814</saml2:AttributeValue>
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">ourdomainhere.internal//S-1-5-21-3122984950-2570546592-4150994639-1722</saml2:AttributeValue>
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">ourdomainhere.internal//S-1-5-21-3122984950-2570546592-4150994639-1748</saml2:AttributeValue>
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">ourdomainhere.internal//S-1-5-21-3122984950-2570546592-4150994639-1730</saml2:AttributeValue>
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">ourdomainhere.internal//S-1-5-21-3122984950-2570546592-4150994639-1953</saml2:AttributeValue>
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">ourdomainhere.internal//S-1-5-21-3122984950-2570546592-4150994639-1836</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">[email protected]</saml2:AttributeValue>
      </saml2:Attribute>
    </saml2:AttributeStatement>

This would be a useful feature to have as with more companies moving to a more "serverless" / "cloud-native" (insert your favourite buzzword here) it is becoming less common to an easy way to connect to the user directory with LDAP.

rhysperry111 avatar Dec 09 '25 12:12 rhysperry111

Thanks for opening your first issue here! Be sure to follow the issue template!

boring-cyborg[bot] avatar Dec 09 '25 12:12 boring-cyborg[bot]