When using SAML with Azure in Qlik Sense, groups in Azure SAML response only have the group guid and no group name.
It is not possible to create security rules with user.environment.group that are based on group names.
Environments:
- Qlik Sense Enterprise all versions
- SAML with Microsoft Azure
This is due to the fact that Azure can only send group guid in the SAML response and not the group name.
This is a restriction on Microsoft's end. See:
"There is no way to have the friendly name inside the SAML response. If you want to have the friendly name, basically what you should to is the following: the Service provider gets the SAML response issued by Azure AD, then the Service Provider should perform a GraphAPI call to Azure AD to retrieve the friendly name of the group based on the objectGUID."
Unfortunately, Qlik Sense (which is the Service Provider) in this case, has no way to be set up to resolve Azure group names.
Potential workarounds:
- Create your own program that extracts all needed group names from Azure and to which user they are linked to
- Store this information in an excel file or a database
- Use a User Directory Connector in Qlik Sense in order to import group information
- You can then create a security rule based on user.group to give access to users.
Related Content:
Security Rules Fail For SSO/SAML Users and The Group or Other User Attributes Returned from SSO / SA...
