In Oauth response, the user groups can be carried in the response with customized field. However, we can't relate the string of group to the group attribute of the user.

We may have question for how to apply authorization policy for Oauth user groups. In this example, the default authorization action is set to DENY, and we would like to allow access for specific groups only.

Instructions

1. In the Oauth SP profile, expand More and enter the field name representing user group in Oauth response under Attribute 1. After this, the Oauth user groups will be extracted and put in user attributes.

2.Create AAA group in NetScaler

add aaa group <aaa_group_name>

3.Bind the AAA group under the authorization group in session profile. After this step, the user who passes the authentication will be put in the AAA group

set vpn sessionAction <sessionAction_name> -defaultAuthorizationAction DENY -authorizationGroup "<aaa_group_name>"

4.Create authorization policy with the user attribute for Oauth user group.

add policy patset <patset_name>
bind policy patset <patset_name> <aaa_group_name>
add authorization policy <author_pol_name> "AAA.USER.ATTRIBUTE(\"groups\").CONTAINS_ANY(\"<patset_name>\")" ALLOW
=> In this example, "groups" is the field name representing user group in Oauth response and it is saved to Attribute 1 in the first step.
We also use patset to save our Oauth group names in case there are many different groups.

5.bind the authorization policy to AAA group, so that the Oauth user groups which hit the expression in authorization policy will be applied with authorization.

bind aaa group <aaa_group_name> -policy <author_pol_name> -priority 100 -gotoPriorityExpression NEXT