Azure AD Group Assertions


Azure AD Group Assertions

Group assertions can be used to manage user permissions in Kion by using existing Azure Active Directory groups.

Azure AD Configuration

  1. In the Azure portal, go to Azure Active Directory > Enterprise Applications.
  2. In the list, select the enterprise application for Kion.
  3. On Overview, in the left menu, select Single sign-on.
  4. On Single Sign-On, under User Attributes & Claims, select Edit.
  5. Select Add a group claim.You can have only one group claim. If this option is disabled, you might already have a group claim defined.
  6. On Group Claims, select the groups that should be returned in the claim:
    • If you will always have every group you intend to use in Kion assigned to this enterprise application, select Groups assigned to the application.
    • If you want all groups to appear (this selection can cause a large number of group assertions and might be subject to limits), select Groups assigned to the application.
  7. For Source attribute, leave the default Group ID.
  8. Enable the Customize the name of the group claim option.
  9. For Name, enter memberOf.
  10. Click Save.

Kion configuration

  1. In Kion, navigate to Users > Identity Management Systems.
  2. Select the IDMS that you've created for Azure AD.
  3. Select the User Group Associations tab.
  4. Click Add > Add New.
  5. For Name, enter memberOf.
  6. For Regex, enter the object ID (from Azure AD) of the group you want to match.
  7. Select the Kion user group the matched groups will be added to.
  8. (Optional) Enable Update on Login to evaluate users on every log in and remove them from user groups they no long match.
  9. Click Add.

For more information, see Azure's article Azure AD SSO integration with Kion.