Skip to main content
Solved

Assign multiple roles to a user from Azure AD SAML claim

  • January 19, 2026
  • 4 replies
  • 54 views
anryan
Contributor
Forum|alt.badge.img+5

Hi there,

In this article (Configure user attribute mapping with Azure AD SAML Provider – FME Support Center), a group claim can be setup to pass an AD group name which aligns to a role in FME Flow. As a group claim could be based on a search criterion and many AD groups could be returned which is a common method of Enterprise group membership in ArcGIS Enterprise software. I was wondering if this could be used to grant several roles to a user?

Looking at controlling access to repositories, who can view workspace and who can run a job, etc via AD group assignment.

Thanks

Best answer by zoe.forbes

Hi ​@anryan,

This isn’t currently possible but you’re welcome to submit an idea for this - Product Managers check Ideas to inform decision making. I’m also able to do this for you if you would prefer.

The best workaround I can think of would be exporting roles data outside of Azure, and creating a workspace which used the API to assign additional roles to Flow users after creation. The endpoint POST /accounts/{id}/roles could be used to do this.

Thanks,
Zoe

    4 replies

    zoe.forbes
    Safer
    Forum|alt.badge.img+5
    • zoe.forbesSafer
    • Safer
    • Best Answer
    • February 3, 2026

    Hi ​@anryan,

    This isn’t currently possible but you’re welcome to submit an idea for this - Product Managers check Ideas to inform decision making. I’m also able to do this for you if you would prefer.

    The best workaround I can think of would be exporting roles data outside of Azure, and creating a workspace which used the API to assign additional roles to Flow users after creation. The endpoint POST /accounts/{id}/roles could be used to do this.

    Thanks,
    Zoe

      anryan
      Contributor
      Forum|alt.badge.img+5
      • anryanContributor
      • Author
      • Contributor
      • February 3, 2026

      @zoe.forbes thank you for the reply. I’ll be submitting an idea for this to utilise OOTB SSO/SAML capability.

      I have a question regarding your workaround in using a workspace to assign the additional roles - You hadn’t mentioned what type of trigger could be used for this. I assume a schedule as I couldn’t find any documentation that FME Flow has internal webhooks (eg. trigger on user creation)?

       

      At the moment, I’ll probably go for a schedule running every 30mins to check a defined list of AD group memberships and use that as my source and compare to FME Flow to work out which CRUD type of operations I need to do for the users and their roles to maintain it in the security section of Flow.

       

      Thanks again

      zoe.forbes
      Safer
      Forum|alt.badge.img+5
      • zoe.forbesSafer
      • Safer
      • February 3, 2026

      Hi ​@anryan, I thought this would be a one-off operation but I see that isn’t the case. Since there’s a “user created” system event, you could use the following as triggers:

      • A System Event Trigger in automations.
      • A Schedule as you suggested. Instead of polling all users/roles, you could retrieve System Events with an API call and use the query parameters start=[timestamp] and type=SYSTEMEVENT_USER_CREATE as a filter.
      anryan
      Contributor
      Forum|alt.badge.img+5
      • anryanContributor
      • Author
      • Contributor
      • February 4, 2026

      @zoe.forbes Awesome. Thanks. Didn’t think of sys events with an automation

      Community Stats

      32,413
      Posts
      122,925
      Replies
      40,129
      Members

      Latest FME

      Terms & ConditionsCookie settingsAccessibility statement
      A product of
      Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.