question

AkinAjewole-1375 avatar image
0 Votes"
AkinAjewole-1375 asked ·

Enterprise App group claim

I need to pass all the groups in the token and configure the application to make authorization decisions based on the group claims.

I have followed all the doc about configuring group claim with no luck.

3813-groupclaim.png


azure-active-directory
groupclaim.png (56.6 KiB)
· 1
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak avatar image MarileeTurscak ·

Is the issue related to the sAMAccountName source attribute? It looks like it's throwing a warning about that.

When you say that it doesn't work, what exactly happens?

0 Votes 0 ·

2 Answers

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@AkinAjewole-1375 Based on your current configuration, Group claim will be passed as Role claim in the token. If you want to pass it as group claim, you need to uncheck "Emit groups as role claims".

If you want to pass Group claim as Role but you are not getting all groups listed in token, be informed that there is a limit of 150 groups for a SAML token, and 200 for a JWT. If user is member of more groups than this limit, that can lead to unpredictable results. I have seen list of groups replaced with Graph API link to query groups.

If that is also not the case, make sure you have "onPremisesSamAccountName" attribute synced to Azure AD with value of SamAccountName specified in your on-prem AD. To check this:

  1. Go to https://developer.microsoft.com/en-us/graph/graph-explorer and login with your Global Admin account by clicking on Sign-in with Microsoft button on the left.

  2. Use GET call > https://graph.microsoft.com/beta/groups/Object_ID_of_the_Group

  3. In the response, make sure you should see appropriate value populated.

Please "Accept as answer" wherever the information provided helps you to help others in the community.

· 1 · Share
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AkinAjewole-1375 avatar image AkinAjewole-1375 ·

Thanks for the information. I tried without the emit before and same result. All I get in the SAML response is this.

(<Attribute Name=&#34;http://schemas.microsoft.com/claims/groups.link&#34;>;
<AttributeValue>https://graph.windows.net/b5da5f35-6442-4f5a-9622-92ec6a535127/users/6d9d53f8-1492-477d-aae1-1ee5a1796ea9/getMemberObjects</AttributeValue>;
</Attribute>)




3941-groupclaim2.png




0 Votes 0 ·
groupclaim3.png (29.8 KiB)
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@AkinAjewole-1375 This is happening because of the limit of 150 groups for a SAML token and 200 for a JWT. To confirm this, try creating a new user account and add it to few groups (5-10 for testing purpose). I am sure those groups will be emitted in token.

Please "Accept as answer" wherever the information provided helps you to help others in the community.

· 1 · Share
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AkinAjewole-1375 avatar image AkinAjewole-1375 ·

Help you are right. Thank you. This wont work for us then. Thanks again.

0 Votes 0 ·