We’re using the JIT SAML configuration for authenticating users in DataMiner. Currently, we add an Azure group to the allowlist in both the Azure Enterprise Application and DataMiner Cube. However, we only add groups that have direct members. Would it be possible to add a group that doesn’t have direct members but is instead comprised of other groups (nested groups)?
Reza Biglari [DevOps Advocate] Selected answer as best 23rd January 2025
Hello,
I tested this and apparently Azure itself does not do flattening for this purpose so members of child groups will not have access to the application if a parent group has been assigned.
Only groups that are added directly to the app registration will be listed in the SAML response, so Dataminer will have no knowledge of further nested groups
Reza Biglari [DevOps Advocate] Selected answer as best 23rd January 2025