Microsoft Entra Group Assertions


Microsoft Entra Group Assertions

Group assertions can be used to manage user permissions in Kion by using existing Microsoft Entra groups.

Microsoft Entra Configuration

  1. In the Microsoft Entra admin center, go to Identity > Applications > Enterprise applications > New application.
  2. In the list, select the enterprise application for Kion.
  3. On Overview, in the left menu, select Single sign-on.
  4. On Single Sign-On, under User Attributes & Claims, select Edit.
  5. Select Add a group claim.You can have only one group claim. If this option is disabled, you might already have a group claim defined.
  6. On Group Claims, select the groups that should be returned in the claim:
    • If you will always have every group you intend to use in Kion assigned to this enterprise application, select Groups assigned to the application.
    • If you want all groups to appear (this selection can cause a large number of group assertions and might be subject to limits), select Groups assigned to the application.
  7. For Source attribute, leave the default Group ID.
  8. Enable the Customize the name of the group claim option.
  9. For Name, enter memberOf.
  10. Click Save.

Kion configuration

  1. In Kion, navigate to Users > Identity Management Systems.
  2. Select the IDMS that you've created for Microsoft Entra.
  3. Select the User Group Associations tab.
  4. Click Add > Add New.
  5. For Name, enter memberOf.
  6. For Regex, enter the object ID (from Microsoft Entra) of the group you want to match.
  7. Select the Kion user group the matched groups will be added to.
  8. (Optional) Enable Update on Login to evaluate users on every log in and remove them from user groups they no long match.
  9. Click Add.

For more information, see Microsoft's article Microsoft Entra SSO integration with Kion.