SAML is not finding user in group to assign desired role (4267552)

Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Return

Feedback Submitted

Did this article solve an issue for you?

Select Rating

Title

SAML is not finding user in group to assign desired role
Description

When a particular user logs in the Default Role for Unmatched is set as the role, instead of the desired role. The user is member of the correct SAML group, but not assigned to the right Role and it only happens to a specific user or group of users.
Cause

When reviewing the SAML.xml file with a SAML Scanning tool, search for the Group Attribute with the ObjectId as a value.

The Objectid should match with SAML’s Group Objectid, when matching KACE SMA Roles with Groups.
Review below an example of valid Group Attribute syntax with groups as the the attribute name.

Azure AD groups Attribute in SAML.xml

In some cases the Group Attribute name won’t target the group, but instead a groups.link. Example Below

Azure AD groups.link Attribute in SAML.xml

Due to SAML’s limitations on the number of group claims per token, it will replace group attribute with a groups.link attribute.
Azure AD has a limit on number of groups added to a token and Nested groups can magnify the amount of group’s claimed to users.
Microsoft Recommends Application roles instead of groups to make it more secure and efficient.

For more details, visit Microsoft Documentation on Azure Active Directory group claims
Resolution
There is no suggested fix from Microsoft on this matter; nonetheless, we suggest two work-around to ensure the proper roles assigned accordingly.
First Confirm the Group Attribute exceeded the token limitation with the following steps:

1. Open PowerShell and connect to AzureAD
Connect-AzureAD
2. Look for Group by ObjectId
3. Verify User group membership
Get-AzureADGroupMember –ObjectId “id”
4. Confirm amount of Groups claimed for specific user by ObjectId
$groups = Get-AzureADUserMembership –ObjectId “Id”
$groups.count
NOTE: Attempt to range group count not greater than 100 as suggestion. Optimize Active Directory management to ensure an effective setup. According to Microsoft 150 is the limit for Azure AD SAML Token.

Option A:
Create a new attribute to use for Matching Instead of Groups.
This work-around will allow mapping with a different Object Id, which will not have more than 150 values.

Option B:
Reduce the amount of groups for the users (Including Nested Groups)
This work-around will allow to continue using Group Object Id for mapping, without changing the entire SAML setup.
Additional Information

Microsoft AzureAD Documentation - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims

Feedback Submitted

Did this article solve an issue for you?

Select Rating

Request a KB Article

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

SAML is not finding user in group to assign desired role (4267552)

Title

Description

Cause

Azure AD groups Attribute in SAML.xml

Azure AD groups.link Attribute in SAML.xml

Resolution

Additional Information

Leave a Comment