Single Sign On with SAML group claims
13 views
Skip to first unread message
Horvath, Michael
Oct 30, 2025, 11:25:48 AMOct 30
to i2b2-ins...@googlegroups.com
I wasn't able to find examples of mapping attributes in the response from the IDP to map to roles in i2b2. We have active directory groups that we would use for authorization (active CITI training completed in our case) that we would like to map to our projects
and roles (https://community.i2b2.org/wiki/display/ServersideArchitectureHome/User+Roles). Our IDP (Microsoft Entra) can add groups to the claim in the SAML response.
This is a common practice in general for SSO applications, where the idp returns group claim information in the authentication response and the SP, i2b2 in this case, use that for authorization.
I see a set of standard account name information attributes, but nothing specific to group claims. https://community.i2b2.org/wiki/pages/viewpage.action?pageId=55706050#Chapter8.SAMLSetupfori2b2(v1.7.13release)-UpdatingtheAttribute-MapXMLFile.
Does anyone know if it's possible to do this authorization step through configuration of shibboleth, or would that need to be a feature request to modify the client + application server?
Michael Horvath, MS
Lead Programmer / Analyst
Clinical and Translational Science Institute
486 N. Patterson Ave. \ Winston-Salem, NC 27101
p 336.716.0747 \ Michael...@advocatehealth.org \ https://ctsi.wakehealth.edu
Note: My email has changed to Michael...@advocatehealth.org
This electronic message is intended only for the use of the individual(s) and entity named as recipients in the message. If you are not an intended recipient of this message, please notify the sender immediately and delete the material from any computer. Do not deliver, distribute or copy this message, and do not disclose its contents or take any action in reliance on the information it contains. Thank you.
Jeff Klann
Nov 11, 2025, 2:54:29 PMNov 11
to i2b2 Install Help
If I'm understanding you correctly, I don't believe that's possible. i2b2 requires all user roles to be configured in the i2b2 Project Management cell, and we haven't implemented a way to dynamically update that through the SAML response.
Thanks,
Jeff K.
Horvath, Michael
Nov 11, 2025, 3:05:25 PMNov 11
to i2b2 Install Help
That's what I thought, but I wanted to be sure. Thanks!
From: i2b2-ins...@googlegroups.com <i2b2-ins...@googlegroups.com> on behalf of Jeff Klann <jkl...@gmail.com>
Sent: Tuesday, November 11, 2025 2:54 PM
To: i2b2 Install Help <i2b2-ins...@googlegroups.com>
Subject: [EXTERNAL] Re: Single Sign On with SAML group claims
Sent: Tuesday, November 11, 2025 2:54 PM
To: i2b2 Install Help <i2b2-ins...@googlegroups.com>
Subject: [EXTERNAL] Re: Single Sign On with SAML group claims
| WARNING: This email originated from outside of Advocate Health (i2b2-install-help+bncBDWPT...@googlegroups.com).
ALWAYS use caution with links and attachments even if you trust the sender.
NEVER provide your login information to anyone. USE Squish the Phish to report suspicious email. |
--
You received this message because you are subscribed to the Google Groups "i2b2 Install Help" group.
To unsubscribe from this group and stop receiving emails from it, send an email to i2b2-install-h...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/i2b2-install-help/6a7275e8-2fa5-4da1-931a-b79a8c317012n%40googlegroups.com.
You received this message because you are subscribed to the Google Groups "i2b2 Install Help" group.
To unsubscribe from this group and stop receiving emails from it, send an email to i2b2-install-h...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/i2b2-install-help/6a7275e8-2fa5-4da1-931a-b79a8c317012n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages