Steps to configure

Introduction

A ~~Holder Group~~ can be defined as a logical grouping or collection of entities (referred to as "holders") that share similar characteristics, roles, permissions, or access requirements. The concept of a Holder Group simplifies the management of identities by enabling administrators to apply policies, assign roles, and manage permissions at the group level rather than individually.

Steps to configure

1. Group type

It is necessary to define a Group type with Rol Holder to Yes

💻 Image

https://bookstack.soffid.com/books/soffid-3-reference-guide/page/group-type

2. Groups

Then, you need to define the groups with this specific group type.

💻 Image

https://bookstack.soffid.com/books/soffid-3-reference-guide/page/groups

3. Attribute definition

Holder group

💻 Image

Role & group membership

💻 Image

You have to define the attribute sharing policies

💻 Image

In this case, the Holder group, and Role & group membership attributes will be always shared.

x. Users

Use cases

~~1. User with no groups, Primary or Secundary, with type holder group Yes. When this user log into an application --> The user login normally to the application~~

2. User with Primary group with type holder group yes and No Secondary groups with Type holder group yes . When this user log into an application --> The user will be loged-in the application with the group with type holder group yes.

~~💻 OpenID-Connect~~

~~a. User Agatha with Primary group RRHH.~~

~~b. Group RRHH has Group type with Rol holder Yes.~~

~~c. Login~~

~~d. Reponse (jwt.io)~~

{
  "sub": "agatha",
  "iss": "https://sync-server.netcompose:1443",
  "holder_group": "RRHH",
  "meber_of": [
    "SOFFID_HOLDER_CONDOMAIN004/RRHH@soffid",
    "SOFFID_VAULT_USER@soffid",
    "SOFFID_USER@soffid"
  ],
  "nonce": null,
  "sid": "mx3LQHuUdN0xpMthHAWYapFjba00r9H5",
  "aud": "angularApp",
  "azp": "angularApp",
  "auth_time": 1737014499,
  "scope": "openid profile email",
  "exp": 1737015099,
  "iat": 1737014499,
  "jti": "NYnenM6r7YDUQHfTfJEdw78gYtYEr2H7aaLkxp52LpWK-QpJY4TXBvaRxaH-VuKB",
  "email": "agatha@soffid.com"
}

~~💻 SAML~~

~~a. User Agatha with Primary group RRHH.~~

~~b. Group RRHH has Group type with Rol holder Yes.~~

~~c. Login~~

~~d. Reponse (jwt.io)~~

€‹<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://pat.soffid.lab:8443/soffid/saml/log/post" ID="_6743cb92d3e0ebe0572843361b8afb8f" InResponseTo="_5888a034d161c2f45e7c3d62c1ffd939" IssueInstant="2025-01-16T08:11:30.043Z" Version="2.0">
 <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sync-server.netcompose</saml2:Issuer>
 <saml2p:Status>
  <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></saml2p:StatusCode>
 </saml2p:Status>
 <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_8ae443bf62a5b0fabceef1ba20e8330f" IssueInstant="2025-01-16T08:11:30.043Z" Version="2.0">
  <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sync-server.netcompose</saml2:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
   <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod>
    <ds:Reference URI="#_8ae443bf62a5b0fabceef1ba20e8330f">
     <ds:Transforms>
      <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
       <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"></ec:InclusiveNamespaces>
      </ds:Transform>
     </ds:Transforms>
     <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod>
     <ds:DigestValue>XvRUs/lrZYcgR9xjTjGQJ5VLRBtHHDbprEoa9ROxqzw=</ds:DigestValue>
    </ds:Reference>
   </ds:SignedInfo>
   <ds:SignatureValue>F2+sP+Aq8SHIl56/9mYi2B+f6oFerlaMUn81Y5lK5wD+oYNGNsOjMHbwkK5gaHWk2Isr+TEhK0YMQTFfJUK0NLVuXHVQtyAfN3p6kxjXTXOq6TaLAfbivuUdzh1dEX61I63id//rGi92NbLU+p2TV/dmTS4fCOhpxm5Sry5i49o=</ds:SignatureValue>
   <ds:KeyInfo>
    <ds:X509Data>
     <ds:X509Certificate>MIICKTCCAZKgAwIBAgIGAY3q71O5MA0GCSqGSIb3DQEBCwUAMFgxJzAlBgNVBAMMHmh0dHBzOi8v
c3luYy1zZXJ2ZXIubmV0Y29tcG9zZTEcMBoGA1UECwwTRmVkZXJhdGlvbiBzZXJ2aWNlczEPMA0G
A1UECgwGU09GRklEMB4XDTI0MDIyNzE0MjkyOVoXDTM0MDIyNzE0MjkyOVowWDEnMCUGA1UEAwwe
aHR0cHM6Ly9zeW5jLXNlcnZlci5uZXRjb21wb3NlMRwwGgYDVQQLDBNGZWRlcmF0aW9uIHNlcnZp
Y2VzMQ8wDQYDVQQKDAZTT0ZGSUQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJZ5G9BnTSLh
X8VOVbdyY01EUkgHexi97+e1iGA0r1WM6cTu4Ku3k7/efIB5ZZfteRKbPwa719y8Ytb5W4RFcZ6O
XzHz9o+FhG64tZHEo4xwVdukv6rOatSSlhomEhruhxX+x7OpFnnlXNSCypi1xjEQyIm8GJKxpxjk
RJvkgfXLAgMBAAEwDQYJKoZIhvcNAQELBQADgYEATbs8iLBYEcPdPBjtmNHYrQpXb3nc83Acmxyy
/pEe4hXaMoB1rBuxNf47IiqJaJld9H6k5oXWcGgG8FyrdOxpY3eE8cw1s+6tM/MACMRuhuV4bQhR
FD1aizcW6fQUfvmkRLUgS1o8BMZZjCWW22FPeSklFXATE/FvmncRGpT9JWs=</ds:X509Certificate>
    </ds:X509Data>
   </ds:KeyInfo>
  </ds:Signature>
  <saml2:Subject>
   <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://sync-server.netcompose">Agatha</saml2:NameID>
   <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml2:SubjectConfirmationData Address="172.18.0.1" InResponseTo="_5888a034d161c2f45e7c3d62c1ffd939" NotOnOrAfter="2025-01-16T08:16:30.043Z" Recipient="https://pat.soffid.lab:8443/soffid/saml/log/post"></saml2:SubjectConfirmationData>
   </saml2:SubjectConfirmation>
  </saml2:Subject>
  <saml2:Conditions NotBefore="2025-01-16T08:11:30.043Z" NotOnOrAfter="2025-01-16T08:16:30.043Z">
   <saml2:AudienceRestriction>
    <saml2:Audience>https://pat.soffid.lab:8443/soffid-iam-console</saml2:Audience>
   </saml2:AudienceRestriction>
  </saml2:Conditions>
  <saml2:AuthnStatement AuthnInstant="2025-01-16T08:11:30.008Z" SessionIndex="_d6a8c2cecd0e8bd085da5c4c82794444">
   <saml2:SubjectLocality Address="172.18.0.1"></saml2:SubjectLocality>
   <saml2:AuthnContext>
    <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
   </saml2:AuthnContext>
  </saml2:AuthnStatement>
  <saml2:AttributeStatement>
   <saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">pgarcia@soffid.com</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Agatha</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="memberOf" Name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SOFFID_HOLDER_CONDOMAIN004/RRHH@soffid</saml2:AttributeValue>
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SOFFID_VAULT_USER@soffid</saml2:AttributeValue>
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">SOFFID_USER@soffid</saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="HolderGroup" Name="urn:oid:1.3.6.1.4.1.22896.3.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">RRHH</saml2:AttributeValue>
   </saml2:Attribute>
  </saml2:AttributeStatement>
 </saml2:Assertion>
</saml2p:Response>

3. User with Primary group RRHH (Type holder group yes) and Secondary group Marketing (Type holder group yes). When this user log into an application --> The user will have to choose the holder group to login the application.

~~💻 Image~~

4. User with any Primary group with Type holder group no, and with some Secondary groups with Type holder group yes. When this user log into an application --> The user will have to choose the holder group to login the application.

~~💻 Image~~