APM VPN with Azure AD as SAML IdP

Hello there,

I'm implementing the APM part of the VPN implementation that should use Azure AD as SAML IdP. The SAML part works fine as such, but there are problems having the Azure AD groups returned in the SAML response. This is the best the Azure AD administrator has got me so far:

        
            410de111-34ab-4b4f-8722-0ecbcd840c39
            2463f452-7382-49f5-ace0-bafdc8816b2b
        

So, the groups are UUID only. They have found no way to return the actual group names in the SAML response. I've checked the full SAML response in the "sessiondump --allkeys" output.

Does anyone have specific tips that could be tried in the Azure AD side to get it return the AD group names in the SAML response?

One workaround was tried so that the AAD admin configured roles for the users:

        
            RoleName2
            RoleName1
        

These are shown in APM session variable:

da859cb2.session.saml.last.attr.name.http://schemas.microsoft.com/ws/2008/06/identity/claims/role 25 | RoleName2 | RoleName1 |

I can parse that output in TCL and translate it in this format:

da859cb2.session.ad.last.attr.memberOf 31 | CN=RoleName2 | CN=RoleName1 |

And now I can use "AD Group Resource Assign" to match the correct VPN properties based on the roles.

So, I'm hoping the be able to get the actual AD group names from Azure AD, instead of using the UUIDs or the admin-generated roles. Any hints?

Markku