I need to pass all the groups in the token and configure the application to make authorization decisions based on the group claims.
I have followed all the doc about configuring group claim with no luck.
I need to pass all the groups in the token and configure the application to make authorization decisions based on the group claims.
I have followed all the doc about configuring group claim with no luck.
Is the issue related to the sAMAccountName source attribute? It looks like it's throwing a warning about that.
When you say that it doesn't work, what exactly happens?
@AkinAjewole-1375 Based on your current configuration, Group claim will be passed as Role claim in the token. If you want to pass it as group claim, you need to uncheck "Emit groups as role claims".
If you want to pass Group claim as Role but you are not getting all groups listed in token, be informed that there is a limit of 150 groups for a SAML token, and 200 for a JWT. If user is member of more groups than this limit, that can lead to unpredictable results. I have seen list of groups replaced with Graph API link to query groups.
If that is also not the case, make sure you have "onPremisesSamAccountName" attribute synced to Azure AD with value of SamAccountName specified in your on-prem AD. To check this:
Go to https://developer.microsoft.com/en-us/graph/graph-explorer and login with your Global Admin account by clicking on Sign-in with Microsoft button on the left.
Use GET call > https://graph.microsoft.com/beta/groups/Object_ID_of_the_Group
In the response, make sure you should see appropriate value populated.
Please "Accept as answer" wherever the information provided helps you to help others in the community.
Thanks for the information. I tried without the emit before and same result. All I get in the SAML response is this.
(<Attribute Name="http://schemas.microsoft.com/claims/groups.link">;
<AttributeValue>https://graph.windows.net/b5da5f35-6442-4f5a-9622-92ec6a535127/users/6d9d53f8-1492-477d-aae1-1ee5a1796ea9/getMemberObjects</AttributeValue>;
</Attribute>)
@AkinAjewole-1375 This is happening because of the limit of 150 groups for a SAML token and 200 for a JWT. To confirm this, try creating a new user account and add it to few groups (5-10 for testing purpose). I am sure those groups will be emitted in token.
Please "Accept as answer" wherever the information provided helps you to help others in the community.
Help you are right. Thank you. This wont work for us then. Thanks again.
14 people are following this question.