Trouble with group membership using SAML

[BrentRose]

I've got my setup up and running and I'm able to provide access by referencing usernames in the role binding. I'm having trouble using group membership. When I look at my users.openunison.tremolo.io user object the groups field is empty. I've tried using 'groups' and 'memberOf' in the kube-apiserver --oidc-groups-claim parameter. I'm hoping there is a way increase logging or something to help me find what I'm missing?

[mlbiam]

Are the groups being included in the assertion as part of the memberOf attribute?

[BrentRose]

According to my SAML guy it is. Is there anyway I can see what's in the assertion?

[mlbiam]

The easiest way is to use the SAMLTracer browser plugin : https://chrome.google.com/webstore/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch?hl=en (same plugin can be installed on firefox and edge. if you can't run those plugins, you can setup debug logging and the assertion will get printed to the logs.

[BrentRose]

Sweet! I'll give that a shot. Thanks as always for your quick turnaround.

[BrentRose]

Would I be able to see the group membership in the output of SAML Tracer or would I need to decrypt something? I don't see it in the text.

[mlbiam]

Would I be able to see the group membership in the output of SAML Tracer or would I need to decrypt something? I don't see it in the text.

Assuming you aren't encrypting the assertion, you should see it there. Look for the POST to https://youropenunison/auth/saml2 (it will have a label called SAML) and click on it. At the bottom of the screen it will have tabs for for the raw HTTP, parameters, SAML, and Summary. Click on Summary and under SAML 2.0 AttributeStatement you should see your groups.

[BrentRose]

We got this sorted out and it was an issue on the SAML idp side where it wasn't passing the memberOf attribute. Thanks for showing me how to verify this @mlbiam