This guide walks you through configuring a Group claim in Microsoft Entra ID (Azure AD) for FMX Single Sign-On (SSO) using SAML 2.0, and explains the final steps required to enable group-based access mapping within FMX.

Prerequisites

Before you begin, ensure the following:

  • You have Administrator access to Microsoft Entra ID
  • An FMX SAML-based Enterprise Application already exists in your tenant
  • Users and security groups are already created in Entra ID

Step 1: Open the FMX Enterprise Application

  1. Sign in to the Microsoft Entra admin center
  2. Navigate to Identity → Applications → Enterprise applications
  3. Select your FMX SAML application

Step 2: Open Single Sign-On Settings

  1. In the left-hand menu, select Single sign-on
  2. Choose SAML as the sign-on method

Step 3: Edit User Attributes & Claims

  1. In the Attributes & Claims section, click Edit
  2. Select Add a group claim

Step 4: Configure the Group Claim

Configure the group claim using the values below.

Group Claim Settings

  • Which groups associated with the user should be returned in the claim?
    Select Security groups (or All groups, if required by your organization)

  • Source attribute:

    user.groups

  • Customize the name of the group claim:

    urn:fmx:dir:attribute-def:groups
  • Emit groups as:
    Group ID (recommended)

Click Save once the configuration is complete.

Step 5: Assign Users and Groups

  1. In the FMX Enterprise Application, navigate to Users and groups
  2. Assign the users and/or groups that should have access to FMX

Only assigned users will receive the group claim in the SAML assertion.

Step 6: Test the Group Claim

Initiate a test login via:

  • The Microsoft My Apps portal (IdP-initiated), or
  • The FMX login page (SP-initiated)

Confirm that the SAML assertion includes the following claim:

 
urn:fmx:dir:attribute-def:groups

Final Step: Enable Group Mapping in FMX

To complete the setup, you will need access to FMX’s internal SSO mapping tool.

What You Need to Do

  1. Request access to the FMX SSO mapping tool by contacting FMX Support
  2. Once enabled on your site, open the tool located in the admin settings
  3. A default JSON file will already be present
  4. Edit the JSON file to map your Entra ID group values to FMX roles or permissions

Built-In Validation

  • The tool includes a built-in JSON validation checker
  • If there are any issues, it will clearly identify which lines are invalid
  • Correct any errors until the validation passes

Activating the Mapping

  • Save the updated JSON file
  • Ensure the group claim rule described above is configured in Entra ID

Once both steps are complete, group claims will begin applying immediately to users logging in via SSO.

Need Help?

Please review the following Microsoft Help Youtube Video. Steps begin around the 5 minute mark. If you need assistance with group claims, access to the mapping tool, or validation errors, please contact FMX Support and include:

  • Your FMX tenant URL
  • Confirmation that the group claim has been added in Entra ID
  • Any screenshots or error messages

Was this article helpful?

  • 0 out of 0 found this helpful