Expand my Community achievements bar.

SOLVED

AEM-Azure AD SSO Integration | azure-ad-saml-group-limit

Avatar

Level 2
Level 2
6/8/20 2:33:14 AM

Hello,

We have a usecase like:

We have integrated AEM SAML(OOTB) with Azure AD for user authentication. Now In Azure they have limitation that they can provide max of 150 groups(user belongs to) in saml response.
If a user is member of more than 150 groups for SAML, then Azure AD does not emit the groups claim in SAML Assertion. Instead it will replace the group attribute (usually named http://schemas.microsoft.com/claims/groups) with a group.link attribute (http://schemas.microsoft.com/claims/groups.link) that will contain a link back to https://graph.windows.net/<IdentityProviderID>/users/<UserObjectID>/getMemberObjects.
This causes the role mapping on the platform to be ineffective for the user the Assertion is applicable to.


User gets authenticated from azure but couldn't landed up with any AEM screen as saml response doesn't contain group information to redirect user to authorized page. Azure team says we need to call a REST Microsoft graph api to get group information in such case using that group.link.

We need to handle both scenarios:
1. User belongs to less than equal to 150 groups
2. User belongs to more than 150 groups

Can anyone suggest how we can achieve this? Do we need to write custom SAML authentication handler? how to call graph apis?

Quick response will be highly appreciated!!

 

Thanks in advance
Nisha

Views

2.0K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 4
Level 4
6/24/20 1:33:02 PM

It sounds as if you've worked with Azure AD support, so I may be mistaken in this suggestion, but if not, it might be a quick fix.

 

I believe that Azure AD has a configuration in either the application or the claim that allows you to specify which groups would be included the group claim.  Presuming you have fewer than 150 AEM-relevant groups, if that configuration exists, you should be able to have Azure AD in effect filter the group claim to only specific groups that are relevant.  

 

I may be thinking of Okta or ADFS and if so, my apologies.  But if correct, this will be far easier than a custom SAML handler.

 

Hope it works!

Beau

View solution in original post

Views

1.7K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
1 Reply

Avatar

Correct answer by
Level 4
Level 4
6/24/20 1:33:02 PM

It sounds as if you've worked with Azure AD support, so I may be mistaken in this suggestion, but if not, it might be a quick fix.

 

I believe that Azure AD has a configuration in either the application or the claim that allows you to specify which groups would be included the group claim.  Presuming you have fewer than 150 AEM-relevant groups, if that configuration exists, you should be able to have Azure AD in effect filter the group claim to only specific groups that are relevant.  

 

I may be thinking of Okta or ADFS and if so, my apologies.  But if correct, this will be far easier than a custom SAML handler.

 

Hope it works!

Beau

Views

1.7K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply