I set up my Google Apps for Work Unlimited account as a SAML2 identity provider and registered my web application as a service provider (as explained in the links below). It works fine, I can log in to my application after logging in to Google with the user. My problem is that I have to give this user access to resources based on his role or group on Google, and cannot figure out how to send this membership information back to the service provider. It seems that I cannot use the attribute mapping function to map the user field to "groups". Does anyone know if this is a limitation on Google Apps for Work Unlimited> Should I send group memberships differently ?. How?. I know that the role and membership of a group are completely different things.I just need a way to differentiate user privileges. Maybe you can think of another way to differentiate them? I need to know, for example, whether they are administrators or just users in Google Apps. How can i do this?
[ https://support.google.com/a/answer/6087519?hl=en.BIZ[1]
[ https://robinpowered.com/blog/how-to-set-up-saml-with-google-apps/†[1]
source
share