[IdP] Not working with large number of groups (Azure AD)
Forge component by Rui Barbosa
Application Type
Traditional Web

Hi IdP team,

I encountered a problem with the group assignment of IdP users.
A customer of ours has some users (Azure AD / Office 365) participating in more than 165 (!) groups. When such a user logs in, no groups will be assigned, because the groups claim will no longer return a list of group IDs because it exceeds the limit of 150. Instead, a MS Graph link is returned to where the group IDs can be retrieved. The IdP module has no functionality to handle this specific case.

Below a part of the SAML message log

Some googling resulted in following information:

"Azure Active Directory limits the number of groups it will emit in a token to 150 for SAML assertions, and 200 for JWT. If a user is a member of a larger number of groups, the groups are omitted and a link to the Graph endpoint to obtain group information is included instead."

Is there any change that you will fix this issue in future release?

This as an Azure AD problem. We suffer the same as we started with AD on-prem and in moving to AAD, we've had to rethink our CAD group strategy.

Unless Microsoft remove the restriction, then it might be a good opportunity to review your own group policy as being a member 165 groups feels very over complicated.

By the way: you state that this is an Azure AD problem, however in the topic-start it also states (cursive) that this behavior is perfectly documented. It could be seen as a paging-feature like many REST-api's implement.

In short; I still think this is a shortcoming in the IdP-module :-)

How is this an Azure AD problem? This could easily be solved by doing a separate request to retrieve all the groups.
The value of the groups.links-attribute clearly states where the groups can be retrieved.

Or am I missing something here?

Hi @Rui Barbosa ,

My colleague Rob (TS) has created the appropriate functions to support huge numbers of groups. We use the provided link in the SAML message to retrieve all groups via the Graph-API, completely following all specifications.

Would you be open to add this to the next version of the IDP module?

We would be happy to share all the code.

Hi Peter,

Actually, there is already a version of IdP (4.2.13), that is currently "Under Development" that references a new App called Idp Customizations that will let you add your own custom logic for user/group mapping.

This will let you add the necessary logic to call the Graph API and fetch the groups/roles mapping without affecting the IDP component and its future versions.

This will be a more generic solution, without having to go to the different implementation details of Graph API with endpoints and credentials/tokens etc..

This new version includes many other changes such as allowing multiple configurations of different identity providers for the same tenant.

I'm just currently waiting for more feedback from a couple of colleagues that are already using this latest version. I also need to create new and updated documentation for this new version.

That sounds like a perfect solution!

Please keep us posted and if we can help, just let us know.

Hi @João Barata. Is that new version (4.2.13) going to be released anytime soon?

Hi @inesp the version with the above functionalities has already been released. The version is 5.0.0

Regards, 

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.