When using Group membership claims to match with groups within Asset Bank, it is possible to exceed the HTTP header size limit. Azure Active Directory prevents this from happening by placing a limit of 150 groups for SAML tokens. If a user is a member of more groups (including inherited group membership from parent groups) than this limit then Azure Active Directory will not emit any group claims in the token, and instead will include an overage claim in the token that indicates to the application to query the Graph API to retrieve the user’s group membership.
To avoid this issue, you must implement using Roles for Group Mappings. By creating a Role for each Security Group you want to pass over to Asset Bank and assigning that Role to the associated Group, you can then match your Asset Bank groups to these Roles.
1. Adding Roles in the Asset Bank application
- Go to the Azure portal – portal.azure.com
- In the Azure portal, on the left navigation pane, click Azure Active Directory.
- Click App registrations
- Click your Asset Bank application
- Click on Manifest
- You will see a Manifest similar to below. Note the “appRoles” property in green. And the “GroupMembershipClaims” also in green.
- Add roles in the same JSON format.
Each role must:
- be in the same format as the msiam_access role
- have a unique “id” (e.g., “id”:”82811e87-6f98-4510-95e5-9cbe849acfad”). You can use a Globally Unique Identifier (GUID) generator.
- Have a unique “value”
You also need to exclude including the “SecurityGroup” membership, by changing this value to null.
In the following example, the AG-AssetBank-Level1 and AG-AssetBank-Level2 roles are being added and the GroupMembershipClaims modified to null. Your request body should look similar:
- Click Save
2. Assigning Roles to Groups
- In the Azure portal, Azure Active Directory. Click Enterprise Applications.
- Click your Asset Bank application
- Click Users and groups
- Select the group you want to assign a role to and click Edit
- Click Select Role
- Choose the role you added in 1. Adding Roles in the Asset Bank application, and click Select
- Click Assign in the Edit Assignment window.
- Repeat this procedure for each role you added in 1. Adding Roles in the Asset Bank application
3. Remote group mapping in Asset Bank
- Log in to Asset Bank as an admin user, navigate to Admin > Groups
- Select edit for the group you want to map to Azure Active Directory
- In the Remote Group (s): field enter the Value used for the associated role created in 1. Adding Roles in the Asset Bank application & click Save.
4. Update the remote group claim rules and the attribute mapping
Contact the support team if you are hosted with us to request that the mapping of remote groups is switched to use the appRoles claim.
Remove the existing groups claim in Azure AD e.g.
<Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" id="memberOf"> <AttributeDecoder xsi:type="StringAttributeDecoder"/>
Replace it with the new role based claim e.g.
</Attribute><Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" id="memberOf"> <AttributeDecoder xsi:type="StringAttributeDecoder"/>
Alternatively, if you manage your own server, please get in touch with our support team to receive further instructions.
</Attribute>
Comments
0 comments
Please sign in to leave a comment.