[RTFACT-20095] Improve SAML groups claim integration with AzureAD SAML Created: 11/Sep/19  Updated: 20/Sep/19

Status: Open
Project: Artifactory Binary Repository
Component/s: SAML SSO
Affects Version/s: 6.8.11, 6.10.2
Fix Version/s: None

Type: Improvement Priority: High
Reporter: Charles Lambert Assignee: Unassigned
Resolution: Unresolved Votes: 4
Labels: artifactory, security

JFrog artifactory SaaS


Azure Active Directory limits the number of groups it will emit in a token to 150 for SAML assertions, and 200 for JWT to prevent tokens getting too large. If a user is a member of a larger number of groups than the limit, the groups are emitted and a link to the Graph endpoint to obtain group information.

This request is to improve the current SAML SSO integration to allow artifactory to consume the graph endpoint. In large organizations, SAML tokens can exceed HTTP header limits which can can lead to unpredictable results. Thus, Azure will emit a graph group claim to allow the app (artifactory) to query all groups the user belongs to. 

Comment by Chris Denneen [ 16/Sep/19 ]

Yes need a way to parse the graph link for Group information

Generated at Tue Sep 29 11:47:25 UTC 2020 using Jira 8.5.3#805003-sha1:b4933e02eaff29a49114274fe59e1f99d9d963d7.