Skip to main content

Configuring Azure AD SAML Group Mapping with Tyk

Marvin Huaco
  • Updated

 

Prerequisite

Before proceeding with this configuration, make sure you have already set up SAML-based SSO for the Tyk Dashboard using the internal Tyk Identity Broker (TIB).

You can follow the official guide here:
🔗 SSO Dashboard Access Using Internal TIB (SAML Azure)

 

This guide explains how to configure group-based access control between Azure and Tyk using SAML. By the end, users assigned to Azure AD groups will automatically map to the appropriate groups in Tyk.

Step 1: Create Azure AD Groups

Start by creating two groups in Azure Active Directory that will correspond to Tyk groups:

  • tyk-admin

  • tyk-read-only

Then assign users accordingly:

  • UserAtyk-admin

  • UserBtyk-read-only

Step 2: Configure SAML in Azure AD

  1. Navigate to Azure Portal → Enterprise Applications.

  2. Select your application (in this case, TykSaml).

  3. Click Set up single sign-on → SAML.

  4. In the Attributes & Claims section, click Edit.

Step 3: Create a new Claim

Add new claim that will carry the user’s Tyk group membership:

  • Name: tyk-group

  • Source: Choose Attribute

  • Value: Define per-group conditions as described below

Step 4: Add Claim Conditions

You’ll now create claim conditions to map Azure groups to your Tyk groups.

For example:

  • If a user is a member of the tyk-admin group → issue claim tyk-group = tyk-admin

  • If a user is a member of the tyk-read-only group → issue claim tyk-group = tyk-read-only

To do this:

  1. Under the tyk-group claim, click dropdown arrow next to Claim conditions.

  2. For User type, select Members.

  3. For Scoped groups, select the target Azure AD group (e.g., tyk-admin).

  1. Set the value to match what Tyk expects (e.g., tyk-admin).

  1. Repeat for each group.

Step 5: Configure Group Mapping in Tyk

In the embedded Tyk TIB, specify the claim field and how Azure group values map to Tyk group IDs.

Example configuration:

"CustomUserGroupField": "tyk-group",
"UserGroupMapping": {
  "tyk-admin": "675b3495421aa91def668a51",
  "tyk-read-only": "680eaa8d421aa9f88831edd8"
}

Here:

  • "CustomUserGroupField" defines which SAML claim Tyk should read (tyk-group).

  • "UserGroupMapping" links the Azure group  to Tyk group IDs.

Step 6: Test the Configuration

Log in with each test user via SSO and confirm:

  • UserA (member of tyk-admin) inherits the tyk-admin Tyk group.

  • UserB (member of tyk-read-only) inherits the tyk-read-only group.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.