You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The number of groups emitted in a token is limited to 150 for SAML assertions and 200 for JWT, including nested groups. In larger organizations, the number of groups where a user is a member might exceed the limit that Azure AD will add to a token. Exceeding a limit can lead to unpredictable results.
So if some user has 150+ groups in response (included subgroups) there will be no any groups, and Azure expects that application will do a second request to GraphQL request for groups only.
Example:
DEBUG in application: Body: {"providerType":"OIDC","providerName":"azuread","username":"[email protected]"}
The text was updated successfully, but these errors were encountered:
@vutkin@tchiotludo
Do I understand correctly that this additional call to GraphQL was implemented in Micronaut, or what else "Switched to DEX IDP." means? Does that mean you use DEX IDP to federate and do not call to Azure directly?
Just tested dev branch of AKHQ and this still doesn't seem to work when user has more than 200 groups.
The problem:
Ref: https://docs.microsoft.com/en-gb/azure/active-directory/hybrid/how-to-connect-fed-group-claims#group-filtering
So if some user has 150+ groups in response (included subgroups) there will be no any groups, and Azure expects that application will do a second request to GraphQL request for groups only.
Example:
DEBUG in application: Body: {"providerType":"OIDC","providerName":"azuread","username":"[email protected]"}
The text was updated successfully, but these errors were encountered: