What is the expected behaviour when defining multiple keys for external groups?

twhittaker · April 18, 2024, 6:48pm

I want to define two different keys to create external realm groups in Foundry (Docs).

Is the expected behaviour that, where a user has the attribute under one of the keys but not the other, the user be added to the group?

srubin · April 19, 2024, 1:02pm

Yes. If you are specifying different attributes in the User Groups keys (as pictured above), then groups that are found at any of those keys will be imported. The most common use case here is if you are using different provider attributes as groups. Otherwise, the standard setup is just to import groups from the group claim (and include a regex to split the groups if multiple groups are passed in the same value).

For example the standard groups claim from Entra comes through something like this:

<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
                <AttributeValue>GROUP1</AttributeValue>
                <AttributeValue>GROUP2</AttributeValue>
</Attribute>

By just specifying http://schemas.microsoft.com/ws/2008/06/identity/claims/groups in the user groups key field (no need for a regex), GROUP1 and GROUP2 will be extracted and the user will be added to both.

twhittaker · April 19, 2024, 1:17pm

Perfect! Yeah I am trying to import both roles and groups as multipass groups! There will be some collision temporarily so wanted to make sure that doesn’t cause any issues down the line!

srubin · April 19, 2024, 1:19pm

There may be some weirdness if the attributes don’t have values. Other call out is that the group name as it’s passed in the claim/keyed attribute is used as the group id and group name. This could cause weirdness if you are getting groups from both of these places that have the same name.

twhittaker · April 19, 2024, 1:24pm

Oh so I guess it might not union the two sets of users into a group depending on how it’s passed in the claim but will if it is passed in the same way?

srubin · April 19, 2024, 1:24pm

Also for future reference, if you do add in the group keys and want to test the results of a login and what is parsed out, you can always use the test login feature on the Provider setup page and that will show you exactly what attributes and groups the user would get when they would perform a login with the configured settings.