My question is when using Azure AD to sign in using SAML is there a way to declare the different groups having access to a certain vlan? So that the group of IT's automatically end up in a certain vlan different from when a user from a different group logs on.
Yes, this is possible, if you map the group claim attribute, then we can create policies with specific VLANs(or RADIUS attributes) based on those Groups.
In Azure, there is a limitation of getting the actual group name to come over via SAML. If they used Azure AD Connect Sync 188.8.131.52 or above and bring those groups from On-Premise AD, they will show up with the group name.
However, if the groups are not brought over from on-premise AD, we can still accomplish the use case but we need to filter based on the Object-ID of the group(i.e., c8fbf2ba-e5f4-4105-a942-481f396746b3)
As long as that group claim is mapped to "Group/Affliation Attribute" in SAML config on CP, then we can create a policy like this:
IF, Group = c8fbf2ba-e5f4-4105-a942-481f396746b3
THEN, VLAN = 1
Let me know if you have questions on this, if you provide your e-mail I can send you some screenshots.
I uploaded the screens as a ZIP file to Google Drive, let me know I can e-mail them as well:
Let me know if you have questions.