Technical

Azure AD - using Roles as Asset Bank groups

Follow

When using Group membership claims to match with groups within Asset Bank, it is possible to exceed the HTTP header size limit.  Azure Active Directory prevents this from happening by placing a limit of 150 groups for SAML tokens. If a user is a member of more groups (including inherited group membership from parent groups) than this limit then Azure Active Directory will not emit any group claims in the token, and instead will include an overage claim in the token that indicates to the application to query the Graph API to retrieve the user’s group membership.

To avoid this issue, you must implement using Roles for Group Mappings. By creating a Role for each Security Group you want to pass over to Asset Bank and assigning that Role to the associated Group, you can then match your Asset Bank groups to these Roles.

 

1. Adding Roles in the Asset Bank application

  1. Go to the Azure portal – portal.azure.com
  2. In the Azure portal, on the left navigation pane, click Azure Active Directory.

    Screen_Shot_2018-09-07_at_11.22.07.png
  3. Click App registrations

    Screen_Shot_2018-09-07_at_11.23.52.png
  4. Click your Asset Bank application

    Azure_AD_-_Azure.png

  5. Click on Manifest

    Screen_Shot_2018-09-07_at_11.26.16.png
  6. You will see a Manifest similar to below.  Note the “appRoles” property in green.  And the “GroupMembershipClaims” also in green.

    Screen_Shot_2018-09-07_at_11.27.00.png
  7. Add roles in the same JSON format.

    Each role must:

      • be in the same format as the msiam_access role
      • have a unique “id” (e.g., “id”:”82811e87-6f98-4510-95e5-9cbe849acfad”). You can use a Globally Unique Identifier (GUID) generator.
      • Have a unique “value”

    You also need to exclude including the “SecurityGroup” membership, by changing this value to null.

    In the following example, the AG-AssetBank-Level1 and AG-AssetBank-Level2 roles are being added and the GroupMembershipClaims modified to null.  Your request body should look similar:

    Screen_Shot_2018-09-07_at_11.29.10.png
  8. Click Save

2. Assigning Roles to Groups

  1. In the Azure portal, Azure Active Directory.  Click Enterprise Applications.
  2. Click your Asset Bank application
  3. Click Users and groups

    Screen_Shot_2018-09-07_at_11.32.36.png
  4. Select the group you want to assign a role to and click Edit

    Screen_Shot_2018-09-07_at_11.33.15.png
  5. Click Select Role

    Screen_Shot_2018-09-07_at_11.36.09.png
  6. Choose the role you added in 1. Adding Roles in the Asset Bank application, and click Select

    Screen_Shot_2018-09-07_at_11.34.04.png
  7. Click Assign in the Edit Assignment window.

    Screen_Shot_2018-09-07_at_11.37.10.png
  8. Repeat this procedure for each role you added in 1. Adding Roles in the Asset Bank application

3. Remote group mapping in Asset Bank

  1. Log in to Asset Bank as an admin user, navigate to Admin > Groups
  2.  Select edit for the group you want to map to Azure Active Directory

    mceclip0.png
  3. In the Remote Group (s): field enter the Value used for the associated role created in 1. Adding Roles in the Asset Bank application & click Save.

    mceclip1.png

    4. Update the remote group claim rules and the attribute mapping

    Contact the support team to request that the mapping of remote groups is switched to use the appRoles claim. 

    Remove the existing groups claim in Azure AD e.g.

    <Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" id="memberOf"> <AttributeDecoder xsi:type="StringAttributeDecoder"/>
    </Attribute>

    Replace it with the new role based claim e.g.

    <Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" id="memberOf"> <AttributeDecoder xsi:type="StringAttributeDecoder"/>
    </Attribute>

Related articles

Comments

0 comments

Article is closed for comments.