--- title: "Set up SAML Group Mapping with Azure AD" slug: "set-up-saml-group-mapping-with-azure-ad" updated: 2025-04-04T09:35:35Z published: 2025-04-04T09:35:35Z --- > ## Documentation Index > Fetch the complete documentation index at: https://traceabledocs.document360.io/llms.txt > Use this file to discover all available pages before exploring further. # Set up SAML Group Mapping with Azure AD This topic explains how to configure SAML-based Single Sign-On (SSO) using Microsoft Entra ID (formerly Azure Active Directory) and enable group mapping so Traceable can automatically assign user roles based on Azure group membership. This guide is intended for Azure AD administrators. --- ## Before You Begin Ensure you have the following: - Admin access to Microsoft Entra ID/Azure AD. - The Traceable enterprise application has already been added and configured for SAML. - Azure groups have already been created, and users have been assigned to them. - Admin access to the Traceable UI. --- ## Step 1: Configure Group Claims in Azure AD 1. Sign in to the **Microsoft Entra admin center** 2. Go to **Enterprise applications → [Your Traceable App]** 3. Under **Manage**, click **Single sign-on** 4. In the **Attributes & Claims** section, click **Edit** 5. Click **+ Add a group claim** 6. Choose one of the following options: - All groups — includes all groups assigned to the user - Security groups — includes only security groups 7. Choose ID as the group identifier format (or use Group Names if supported) 8. (Optional) Filter groups using advanced filters 9. Click **Save** This ensures that Azure AD includes the group information in the SAML response. --- ## Step 2: Test and Extract the Group Attribute Name 1. In the **Single sign-on** section of your Traceable app, click **Test** 2. Use the built-in test user or sign in with a real user to complete a test login 3. Download or inspect the SAML response 4. Look for entries like: ```xml  GroupObjectID ``` Depending on how group claims are configured, the attribute name may vary (you may also see `groups`, `roles`, etc.). Note the exact name and group values. --- ## Step 3: Map Groups to Roles in Traceable 1. In the Traceable UI, go to **Configuration → Team** 2. Click the **SAML Config** tab 3. Enter the exact group attribute name from the Azure SAML assertion 4. Click **+ Add Group** to define mappings: - SAML Group: Enter the Object ID or group name received from Azure - Role: Choose the corresponding Traceable role - Scope: Define whether the role applies globally or to specific apps 5. Click **Add Role**, then **Save** --- ## What’s Next? After setup: - Users signing in through Azure AD will be assigned roles based on group membership - You can update or remove group-role mappings at any time Return to the [SAML Configuration](/docs/saml-configuration) topic to continue with the rest of the SAML configuration process.