If you are using Azure AD as your IDP, then It is highly likely that the user belongs to too many groups in your AAD environment.
Azure AD imposes a restriction on the count of groups included in a token, allowing 150 for SAML assertions and 200 for JWT. In case a user is part of a larger group set, these groups are excluded. Instead, a reference/link to the Microsoft Graph endpoint for accessing group details is provided. The groups information part of the token will look like this:
"groups": "src1"
},
"_claim_sources": {
"src1": {
"endpoint": "https://graph.windows.net/12345678-abcd-qwer-zcvc-abcd12345678/users/abcdabcd-7890-t5t5-r4r4-avcdeggd1234/getMemberObjects"
}A couple of workarounds:
- Narrow down the groups included in claims to only those relevant to the application.
- Implement a group filter to decrease the number of groups included in the claim.
Please also see Microsoft's documentation:
Configure group claims for applications by using Azure Active Directory - Microsoft Entra | Microsoft Learn
Configure group claims for applications by using Azure Active Directory - Microsoft Entra | Microsoft Learn
Comments
0 comments
Please sign in to leave a comment.