Description
If a user successfully logs in to IriusRisk, but fails to be assigned their respective roles in the application, this can often be a symptom of exceeding Azure's limit of 150 groups in SAML assertions. This can be verified by capturing a HAR file or SAML trace of your SAML login and looking for certain details, outlined below.
Overview
To verify that this is the cause behind the behavior, capture a HAR file or SAML trace and check for the group claim being passed in the assertion.
A successful group assertion will look like this:
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
<AttributeValue>your-group-id-here</AttributeValue>
</Attribute>
However, if you're over your group overage limits, you'll see this instead:
<Attribute Name="http://schemas.microsoft.com/claims/groups.link">
<AttributeValue>https://graph.windows.net/example-application-id/users/example-user-id/getMemberObjects</AttributeValue>
</Attribute>
This can be remediated by changing the groups claim in Azure AD to Groups assigned to the application on the Edit groups claim screen instead of All groups.
Comments
0 comments
Please sign in to leave a comment.