Hi everyone,
We’ve configured SAML authentication in IBM SOAR using AzureAD as the identity provider. The SAML assertion includes standard claims such as:
The authentication flow completes successfully, and the user is created in SOAR. However, the group claim (which is correctly sent and visible in the logs) is not used to assign the user to any group or role within SOAR.
We also enabled the -createusers flag during SAML setup. This causes SOAR to create the user in all organizations, regardless of whether the group exists in those orgs.
This behavior is problematic in multi-org environments. Ideally, user provisioning should be scoped to the organization(s) where the group exists.
Expected Behavior:
- AzureAD user X is a member of group Y.
- In SOAR, group Y exists only in Organization A, and has the role "Operator".
- When user X logs in:
- They should be created only in Organization A.
- They should be assigned to group Y and inherit the associated role.
- They should not be created in Organizations B, C, or D, where group Y does not exist.
Questions:
- Is there a way to restrict user creation to specific organizations based on group claims?
- Can SOAR be configured to map group claims only if the group exists in the target organization?
- If not, is there a recommended alternative for scoped user provisioning in multi-org setups?
Any guidance or examples would be greatly appreciated.