Set up SAML Group Mapping with Azure AD

  • Published on Apr 4, 2025
  • 1 minute(s) read

This topic explains how to configure SAML-based Single Sign-On (SSO) using Microsoft Entra ID (formerly Azure Active Directory) and enable group mapping so Traceable can automatically assign user roles based on Azure group membership.

This guide is intended for Azure AD administrators.

Before You Begin

Ensure you have the following:

  • Admin access to Microsoft Entra ID/Azure AD.

  • The Traceable enterprise application has already been added and configured for SAML.

  • Azure groups have already been created, and users have been assigned to them.

  • Admin access to the Traceable UI.

Step 1: Configure Group Claims in Azure AD

  1. Sign in to the Microsoft Entra admin center

  2. Go to Enterprise applications → [Your Traceable App]

  3. Under Manage, click Single sign-on

  4. In the Attributes & Claims section, click Edit

  5. Click + Add a group claim

  6. Choose one of the following options:

    • All groups — includes all groups assigned to the user

    • Security groups — includes only security groups

  7. Choose ID as the group identifier format (or use Group Names if supported)

  8. (Optional) Filter groups using advanced filters

  9. Click Save

This ensures that Azure AD includes the group information in the SAML response.

Step 2: Test and Extract the Group Attribute Name

  1. In the Single sign-on section of your Traceable app, click Test

  2. Use the built-in test user or sign in with a real user to complete a test login

  3. Download or inspect the SAML response

  4. Look for entries like:

    <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
  <AttributeValue>GroupObjectID</AttributeValue>
</Attribute>

Depending on how group claims are configured, the attribute name may vary (you may also see groups, roles, etc.). Note the exact name and group values.

Step 3: Map Groups to Roles in Traceable

  1. In the Traceable UI, go to Configuration → Team

  2. Click the SAML Config tab

  3. Enter the exact group attribute name from the Azure SAML assertion

  4. Click + Add Group to define mappings:

    • SAML Group: Enter the Object ID or group name received from Azure

    • Role: Choose the corresponding Traceable role

    • Scope: Define whether the role applies globally or to specific apps

  5. Click Add Role, then Save

What’s Next?

After setup:

  • Users signing in through Azure AD will be assigned roles based on group membership

  • You can update or remove group-role mappings at any time

Return to the SAML Configuration topic to continue with the rest of the SAML configuration process.