[IdP] Not working with large number of groups (Azure AD)
Forge component by Rui Barbosa
Published on 25 Feb 2021
Application Type
Traditional Web

Hi IdP team,

I encountered a problem with the group assignment of IdP users.
A customer of ours has some users (Azure AD / Office 365) participating in more than 165 (!) groups. When such a user logs in, no groups will be assigned, because the groups claim will no longer return a list of group IDs because it exceeds the limit of 150. Instead, a MS Graph link is returned to where the group IDs can be retrieved. The IdP module has no functionality to handle this specific case.

Below a part of the SAML message log

Some googling resulted in following information:

"Azure Active Directory limits the number of groups it will emit in a token to 150 for SAML assertions, and 200 for JWT. If a user is a member of a larger number of groups, the groups are omitted and a link to the Graph endpoint to obtain group information is included instead."

Is there any change that you will fix this issue in future release?

Rank: #23801

This as an Azure AD problem. We suffer the same as we started with AD on-prem and in moving to AAD, we've had to rethink our CAD group strategy.

Unless Microsoft remove the restriction, then it might be a good opportunity to review your own group policy as being a member 165 groups feels very over complicated.

Rank: #39926

How is this an Azure AD problem? This could easily be solved by doing a separate request to retrieve all the groups.
The value of the groups.links-attribute clearly states where the groups can be retrieved.

Or am I missing something here?

Rank: #39926

Hi @Rui Barbosa ,

My colleague Rob (TS) has created the appropriate functions to support huge numbers of groups. We use the provided link in the SAML message to retrieve all groups via the Graph-API, completely following all specifications.

Would you be open to add this to the next version of the IDP module?

We would be happy to share all the code.

Rank: #61

Hi Peter,

Actually, there is already a version of IdP (4.2.13), that is currently "Under Development" that references a new App called Idp Customizations that will let you add your own custom logic for user/group mapping.

This will let you add the necessary logic to call the Graph API and fetch the groups/roles mapping without affecting the IDP component and its future versions.

This will be a more generic solution, without having to go to the different implementation details of Graph API with endpoints and credentials/tokens etc..

This new version includes many other changes such as allowing multiple configurations of different identity providers for the same tenant.

I'm just currently waiting for more feedback from a couple of colleagues that are already using this latest version. I also need to create new and updated documentation for this new version.

Rank: #39926

That sounds like a perfect solution!

Please keep us posted and if we can help, just let us know.