Hello,
We have a usecase like:
We have integrated AEM SAML(OOTB) with Azure AD for user authentication. Now In Azure they have limitation that they can provide max of 150 groups(user belongs to) in saml response.
If a user is member of more than 150 groups for SAML, then Azure AD does not emit the groups claim in SAML Assertion. Instead it will replace the group attribute (usually named http://schemas.microsoft.com/claims/groups) with a group.link attribute (http://schemas.microsoft.com/claims/groups.link) that will contain a link back to https://graph.windows.net/<IdentityProviderID>/users/<UserObjectID>/getMemberObjects.
This causes the role mapping on the platform to be ineffective for the user the Assertion is applicable to.
User gets authenticated from azure but couldn't landed up with any AEM screen as saml response doesn't contain group information to redirect user to authorized page. Azure team says we need to call a REST Microsoft graph api to get group information in such case using that group.link.
We need to handle both scenarios:
1. User belongs to less than equal to 150 groups
2. User belongs to more than 150 groups
Can anyone suggest how we can achieve this? Do we need to write custom SAML authentication handler? how to call graph apis?
Quick response will be highly appreciated!!
Thanks in advance
Nisha
Solved! Go to Solution.
Views
Replies
Total Likes
It sounds as if you've worked with Azure AD support, so I may be mistaken in this suggestion, but if not, it might be a quick fix.
I believe that Azure AD has a configuration in either the application or the claim that allows you to specify which groups would be included the group claim. Presuming you have fewer than 150 AEM-relevant groups, if that configuration exists, you should be able to have Azure AD in effect filter the group claim to only specific groups that are relevant.
I may be thinking of Okta or ADFS and if so, my apologies. But if correct, this will be far easier than a custom SAML handler.
Hope it works!
Beau
It sounds as if you've worked with Azure AD support, so I may be mistaken in this suggestion, but if not, it might be a quick fix.
I believe that Azure AD has a configuration in either the application or the claim that allows you to specify which groups would be included the group claim. Presuming you have fewer than 150 AEM-relevant groups, if that configuration exists, you should be able to have Azure AD in effect filter the group claim to only specific groups that are relevant.
I may be thinking of Okta or ADFS and if so, my apologies. But if correct, this will be far easier than a custom SAML handler.
Hope it works!
Beau
Views
Likes
Replies