Microsoft Entra Group Assertions
Group assertions can be used to manage user permissions in Kion by using existing Microsoft Entra groups.
Microsoft Entra Configuration
- In the Microsoft Entra admin center, go to Identity > Applications > Enterprise applications > New application.
- In the list, select the enterprise application for Kion.
- On Overview, in the left menu, select Single sign-on.
- On Single Sign-On, under User Attributes & Claims, select Edit.
- Select Add a group claim.You can have only one group claim. If this option is disabled, you might already have a group claim defined.
- On Group Claims, select the groups that should be returned in the claim:
- If you will always have every group you intend to use in Kion assigned to this enterprise application, select Groups assigned to the application.
- If you want all groups to appear (this selection can cause a large number of group assertions and might be subject to limits), select Groups assigned to the application.
- For Source attribute, leave the default Group ID.
- Enable the Customize the name of the group claim option.
- For Name, enter
memberOf
. - Click Save.
Kion configuration
- In Kion, navigate to Users > Identity Management Systems.
- Select the IDMS that you've created for Microsoft Entra.
- Select the User Group Associations tab.
- Click Add > Add New.
- For Name, enter
memberOf
. - For Regex, enter the object ID (from Microsoft Entra) of the group you want to match.
- Select the Kion user group the matched groups will be added to.
- (Optional) Enable Update on Login to evaluate users on every log in and remove them from user groups they no long match.
- Click Add.
For more information, see Microsoft's article Microsoft Entra SSO integration with Kion.