Hello,
If you use SAML Trace tool, you will notice that group information (object IDs) are within "group" tag.
Like this.
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
<AttributeValue>1bd5ea35-051f-40fd-bc2a-87693900953d</AttributeValue>
<AttributeValue>fec3a8e2-f35c-437d-8191-f850da332f5c</AttributeValue>
</Attribute>
As this article explained ( https://www.splunk.com/blog/2017/11/20/configuring-microsoft-s-azure-security-assertion-markup-language-saml-single-sign-on-sso-with-splunk-cloud-azure-portal.html ), you need specify "Role alias" and create SAML group in Splunk Cloud. The group name needs to be object ID of your Azure's group's object ID.
In this above example, I created a group in Azure and put my user into the Azure group. The group's object ID is fec3a8e2-f35c-437d-8191-f850da332f5c. So that's why I created "fec3a8e2-f35c-437d-8191-f850da332f5c" SAML group in Splunk Cloud.
Then, everything works perfect.
Please try this. This is confirmed in 2019/Feb/3.
Takashi.
... View more