Nested group memberships and SSO
We're rolling PDP out across many of our datasets to enable us to use embeded cards throughout our internal systems. We may have just stumbled upon what is either a bug or a use case that wasn't properly expressed during development. It appears that Domo isn't properly decomposing these group relationships and our SSO-authenticated users don't have the permissions to data they should.
We make considerable use of nested groups within our AD as it allows us to describe our hierarchical structure in a way that is maintainable.
Here's an example.
- We have 40 stores (Store A, Store B, etc.)
- The stores are managed in "regions" (Region 1, Region 2, etc.)
- A regional manager may be in the "Region 1" group which itself may be a member of "Store A", "Store B", "Store C", etc.
Currently when this regional manager logs into Domo, he is not able to see data for Store A, B and C even though AD says he should. Domo ONLY sees the Region 1 membership and no further.
Has anyone else run into this issue? Were you able to work around it without abandoning your AD group architecture?
Best Answer
-
I've had a couple people DM me so I've decided to put the instructions here for everyone.
We started by setting up SSO to Domo's documented standard. Everything worked fine EXCEPT nested groups weren't decomposed.
To "fix" nested groups we modified the standard Relying Party Trust and initial set of Claim Rules as follows:
First, we added two new Claim Rules:
1 - UserDN Rule
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("https://fs.storagepost.com/myclaims/UserDN"), query = ";distinguishedName;{0}", param = c.Value);
2 - MemberOfDN Rulec1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
&& c2:[Type == "https://fs.storagepost.com/myclaims/UserDN"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = "(member:1.2.840.113556.1.4.1941:={1});distinguishedName;{0}", param = c1.Value, param = c2.Value);Now our rules looked like this:
All Claim Rules
The last thing we did was revise Domo's standard Claim Rule so it now looks like the attached.
Modified Domo Standard Claim Rule
1
Answers
-
Is anyone able to help out with this request?
0 -
We solved this ourselves. It involves writing two custom claims rules and substituting one for the generic "Group" claim included in Domo's documentation.
If anyone would like more detail, please feel free to DM me.
0 -
I've had a couple people DM me so I've decided to put the instructions here for everyone.
We started by setting up SSO to Domo's documented standard. Everything worked fine EXCEPT nested groups weren't decomposed.
To "fix" nested groups we modified the standard Relying Party Trust and initial set of Claim Rules as follows:
First, we added two new Claim Rules:
1 - UserDN Rule
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("https://fs.storagepost.com/myclaims/UserDN"), query = ";distinguishedName;{0}", param = c.Value);
2 - MemberOfDN Rulec1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
&& c2:[Type == "https://fs.storagepost.com/myclaims/UserDN"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = "(member:1.2.840.113556.1.4.1941:={1});distinguishedName;{0}", param = c1.Value, param = c2.Value);Now our rules looked like this:
All Claim Rules
The last thing we did was revise Domo's standard Claim Rule so it now looks like the attached.
Modified Domo Standard Claim Rule
1
Categories
- All Categories
- 1.8K Product Ideas
- 1.8K Ideas Exchange
- 1.5K Connect
- 1.2K Connectors
- 297 Workbench
- 6 Cloud Amplifier
- 8 Federated
- 2.9K Transform
- 100 SQL DataFlows
- 614 Datasets
- 2.2K Magic ETL
- 3.8K Visualize
- 2.5K Charting
- 729 Beast Mode
- 53 App Studio
- 40 Variables
- 677 Automate
- 173 Apps
- 451 APIs & Domo Developer
- 45 Workflows
- 8 DomoAI
- 34 Predict
- 14 Jupyter Workspaces
- 20 R & Python Tiles
- 394 Distribute
- 113 Domo Everywhere
- 275 Scheduled Reports
- 6 Software Integrations
- 121 Manage
- 118 Governance & Security
- Domo Community Gallery
- 32 Product Releases
- 10 Domo University
- 5.4K Community Forums
- 40 Getting Started
- 30 Community Member Introductions
- 108 Community Announcements
- 4.8K Archive