[JIRA] (JENKINS-61381) Groups synchronization with Azure AD does not work if user has more than 150 groups

[pablo.gomezjimenez@dhl.com (JIRA)]

Pablo Gomez created an issue

Jenkins / JENKINS-61381 Groups synchronization with Azure AD does not work if user has more than 150 groups Issue Type: Bug Assignee: Ivan Fernandez Calvo Components: saml-plugin Created: 2020-03-07 14:41 Environment: Jenkins 2.190.1 SAML Plugin 1.1.5 Priority: Critical Reporter: Pablo Gomez I integrated Jenkins with Azure AD using the SAML plugin. I created in Azure AD a group claim to send the Jenkins the groups list the user is member of. The problem is if the user has more than 150 groups then Azure AD, instead of sending the groups claim, it sends a claim with name http://schemas.microsoft.com/claims/groups.link and value a Microsoft Graph link to get the list of groups. The SAML plugin is not calling the Microsoft Graph API and JEnkins thinks the user is not member of any group.  Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo updated an issue

Jenkins / JENKINS-61381 Groups synchronization with Azure AD does not work if user has more than 150 groups

Change By: Ivan Fernandez Calvo Priority: Critical Minor

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo commented on JENKINS-61381

Re: Groups synchronization with Azure AD does not work if user has more than 150 groups SAML Plugin implements the SAML 2.9 standard protocol, SAML 2.0 does not have any service to request groups for a user. The feature you described looks like a MIcrosoft extension, so not supported in the standard.

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo edited a comment on JENKINS-61381

Re: Groups synchronization with Azure AD does not work if user has more than 150 groups

SAML Plugin implements the SAML 2. 9 0 standard protocol, SAML 2.0 does not have any service to request groups for a user. The feature you described looks like a MIcrosoft extension, so not supported in the standard.

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo closed an issue as Not A Defect

Jenkins / JENKINS-61381

Groups synchronization with Azure AD does not work if user has more than 150 groups

Change By: Ivan Fernandez Calvo

Status: Open Closed Resolution: Not A Defect

Add Comment

[pablo.gomezjimenez@dhl.com (JIRA)]

Pablo Gomez commented on JENKINS-61381

Re: Groups synchronization with Azure AD does not work if user has more than 150 groups Ivan Fernandez Calvo For me it is not a Microsoft extension. It is just a limitation in Azure AD: if the user has less than 150 groups then it sends the claim with the list of groups normally, but if they have more than 150 then it sends you link to the service to get the full list in a different attribute. Anyway, it doesn't matter whether it is standard SAML or not, the issue is still valid.  The SAML plugin claims to support Azure AD and a lot of Azure users can be affected by this issue.

Add Comment

[pablo.gomezjimenez@dhl.com (JIRA)]

Pablo Gomez edited a comment on JENKINS-61381

Re: Groups synchronization with Azure AD does not work if user has more than 150 groups

[~ifernandezcalvo] For me it is not a Microsoft extension. It is just a limitation in Azure AD: if the user has less than 150 groups then it sends the claim with the list of groups normally, but if they have more than 150 then it sends you link to the service to get the full list in a different attribute. Anyway, it doesn't matter whether it is standard SAML or not, the issue is still valid.  The SAML plugin claims to support has a compatibility issue Azure AD and a lot of Azure users can be affected by this issue.

Add Comment