Help: sso

JodiStende · January 30, 2025, 2:48pm

Hi - My company is currently implimenting the eGain Knowledge solution. We have SSO set up to pull the “department” field information from our Entra tenant for each individual. This department field is a dynamic field driven by our HRIS system to ensure the department listed for each employee is most accurate. The department field is then configured as the user.group which is then fed into egain for the SSO match.

The SSO is working as expected, however - we have one issue we can’t seem to acocunt for. Since the user.group is the department, we are able to easily assign role group permissions for the majority of our population. The issue is that when someone (like myslef) who has a department that is the same as several others needs additional permissions. When I log in through SSO, the SSO removes my KB Manager access and applied the access that my entire department needs and should have. (Again - this is how it’s SUPPOSED to work, BUT how do I grant additional access to one or 2 people who need different access than that of the defined department/user.group?)

Can 2 user.groups be sent for a single SSO log in?

MarkHerman · January 31, 2025, 2:28pm

Typically, yes, multiple User Groups are sent with the SSO. And, those additional User Groups give you the additional access you need.

JodiStende · January 31, 2025, 2:42pm

Mark - would you be able to share a screen shot showing the information coming from the identity provider and how those 2 groups are mapped? Or would you be willing to hop on a call to discuss?

MarkHerman · January 31, 2025, 3:16pm

Here is an example of the user.group SAML response for my user:

		<Attribute Name="user.groups">
			<AttributeValue>Employees - US</AttributeValue>
			<AttributeValue>eGain Core Demo Users</AttributeValue>
			<AttributeValue>eBrain RFP Library Authors</AttributeValue>
			<AttributeValue>eBrain RFP Library Admins</AttributeValue>
		</Attribute>

I shortened the list, as it was pretty long. But, the idea is that in the SAML response to eGain, you create the Attribute “user.groups” and provide multiple AttributeValue entries.

I hope this answers your question.

FYI, if you submit any User Groups in the SAML token that are not in the eGain system, they will be ignored.

ABell · February 3, 2025, 4:02pm

Hi @JodiStende - There is a limit of 150 supported groups in default SAML login flow, which should be more than enough

As Mark rightly says, if any of those sent group names match the eGain groups, then the lookup will work, the role and licence from the groups will be correctly derived.

You can also use Entra\Azure Conditional Claims to pass ‘friendly names’ to match the pre-created eGain groups, as we did on previous project. For example my AD group called “eGainAgent 123” can be passed as “CCD Agents” claim value. This means less groups and less group maintenance in eGain.

Topic		Replies	Views
SSO in eGain cloud using SAML2.0 Marketplace	2	128	September 25, 2021
User Properties report in Analytics Analytics Hub	4	163	February 4, 2022
SIEM - Security Platform + Developer	0	3	February 3, 2025
Enhancing Login Performance with New Utility Conversation Hub	0	78	April 3, 2024
Activities on Social Media Channels Conversation Hub	4	118	February 18, 2022

Help: sso

Related topics