Expand my Community achievements bar.

SOLVED

AEM-Azure AD SSO Integration fails if group count exceeds 150 in azure AD

Avatar

Level 2
Level 2
6/8/20 4:26:49 AM

Hello,

We have a usecase like:

We have integrated AEM SAML(OOTB) with Azure AD for user authentication. Now In Azure they have limitation that they can provide max of 150 groups(user belongs to) in saml response.
If a user is member of more than 150 groups for SAML, then Azure AD does not emit the groups claim in SAML Assertion. Instead it will replace the group attribute (usually named http://schemas.microsoft.com/claims/groups) with a group.link attribute (http://schemas.microsoft.com/claims/groups.link) that will contain a link back to https://graph.windows.net/<IdentityProviderID>/users/<UserObjectID>/getMemberObjects.
This causes the role mapping on the platform to be ineffective for the user the Assertion is applicable to.


User gets authenticated from azure but couldn't landed up with any AEM screen as saml response doesn't contain group information to redirect user to authorized page. Azure team says we need to call a REST Microsoft graph api to get group information in such case using that group.link.

We need to handle both scenarios:
1. User belongs to less than equal to 150 groups
2. User belongs to more than 150 groups

Can anyone suggest how we can achieve this? Do we need to write custom SAML authentication handler? how to call graph apis?

Quick response will be highly appreciated!!

 

Thanks in advance
Nisha

Views

1.8K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
Employee Advisor
6/8/20 5:40:00 AM

This will not work OOTB as AEM expects the "groups" attribute in the SAML response. You have 2 options for users with more than 150 groups:

 

1) Write a custom authentication handler to handle this scenario

2) Log a ticket with azure and have them increase the limit to more than 150

View solution in original post

Views

1.7K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Correct answer by
Employee Advisor
Employee Advisor
6/8/20 5:40:00 AM

This will not work OOTB as AEM expects the "groups" attribute in the SAML response. You have 2 options for users with more than 150 groups:

 

1) Write a custom authentication handler to handle this scenario

2) Log a ticket with azure and have them increase the limit to more than 150

Views

1.7K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 2
Level 2
6/9/20 12:05:12 AM
In response to Jaideep_Brar

How can we handle both cases in custom saml handler:

1. Users with less than 150 groups: SAML response will have "group" attribute containing groups information

2. Users with more than 150 groups: SAML respnse will have "group.link" attribute containing graph api link to be called in order to fetch groups information

and how this group sync will work then in aem programmatically.

 

Can anyone help with sample custom saml handler code for this?

OR is there any other approach in aem to acheive this usecase?

Views

1.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate