Details
-
Bug
-
Status: Closed (View Workflow)
-
Minor
-
Resolution: Not A Defect
-
None
-
Jenkins 2.190.1
SAML Plugin 1.1.5
Description
I integrated Jenkins with Azure AD using the SAML plugin. I created in Azure AD a group claim to send the Jenkins the groups list the user is member of. The problem is if the user has more than 150 groups then Azure AD, instead of sending the groups claim, it sends a claim with name http://schemas.microsoft.com/claims/groups.link and value a Microsoft Graph link to get the list of groups. The SAML plugin is not calling the Microsoft Graph API and JEnkins thinks the user is not member of any group.
Attachments
Activity
ifernandezcalvo For me it is not a Microsoft extension. It is just a limitation in Azure AD: if the user has less than 150 groups then it sends the claim with the list of groups normally, but if they have more than 150 then it sends you link to the service to get the full list in a different attribute. Anyway, it doesn't matter whether it is standard SAML or not, the issue is still valid. The SAML plugin has a compatibility issue Azure AD and a lot of users can be affected by this issue.
Pablo Gomez
added a comment - - edited ifernandezcalvo For me it is not a Microsoft extension. It is just a limitation in Azure AD: if the user has less than 150 groups then it sends the claim with the list of groups normally, but if they have more than 150 then it sends you link to the service to get the full list in a different attribute. Anyway, it doesn't matter whether it is standard SAML or not, the issue is still valid. The SAML plugin has a compatibility issue Azure AD and a lot of users can be affected by this issue. 
SAML Plugin implements the SAML 2.0 standard protocol, SAML 2.0 does not have any service to request groups for a user. The feature you described looks like a MIcrosoft extension, so not supported in the standard.