-
Bug
-
Resolution: Unresolved
-
High
-
None
-
None
Issue Summary
When configuring JIT provisioning for Atlassian applications, a 'Group' attribute must be defined so that the group memberships are properly mapped.
Usually, the "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" attribute is sent by Azure, though if the user has more than 150 groups, "http://schemas.microsoft.com/claims/groups.link" will be sent instead.
Source: https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-saml-tokens
Due to this mismatch, JIT won't work as expected for users with more than 150 groups.
Steps to Reproduce
- Configure JIT using "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" as a group attribute
- Ensure that there are users with more than 150 groups on Azure AD
- Try to log in with any user with more than 150 groups
Expected Results
The user will be able to access Jira as expected
Actual Results
The user won't be able to access Jira, as a different attribute is sent from Azure (http://schemas.microsoft.com/claims/groups.link)
This error can be seen in the logs :
04:15:34,418-0500 http-nio-8080-exec-14 DEBUG anonymous 255x20232x1 XXXXX XXXXXXXX /plugins/servlet/samlconsumer [c.a.p.a.i.web.saml.SamlConsumerServlet] Failed to authenticate: com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.JitException: Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be found 2021-10-22 04:15:34,420-0500 http-nio-8080-exec-14 ERROR anonymous 255x20232x1 XXXXX XXXXXXXX/plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be foundcom.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.JitException: Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be found at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapGroups(SamlUserDataFromIdpMapper.java:64) at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapUser(SamlUserDataFromIdpMapper.java:36) at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:102)
Workaround
Consider adding the user ID to an application only group and reconfiguring each user's group claim to application access only (ie. User.Groups[ApplicationGroup]).
- is cloned by
-
KRAK-4448 Failed to load
- is related to
-
PSSRV-59250 You do not have permission to view this issue
- mentioned in
-
Page Failed to load
-
Page Failed to load
-
Page Failed to load
-
Page Loading...
-
-
-
-
-
-
-
-
-
-
-
-
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[SAMLDC-97] JIT does not work with Azure AD SSO for users with more than 150 groups
I just wanted to add that it would be nice if there was some movement on this. I mean this has been open since 2021 and this is supposed to be an "enterprise" level product.
I have now been waiting for a year and the most that has happened as this has been revised to something that looks like it will take longer.
I dont understand how a product designated as Data Center cant accommodate a user with more than 150 groups with no workaround? I would greatly appreciate a fix as this impacts our ability to use this product or perhaps you should lower the price and possibly rename this Small Business Edition?
Hey Guys,
Can you just fix this? As a programmer this should be SUPER easy yet its been open for two years! We need to use SSO functionality in Confluence and I cant believe something so minor is holding us up?! You know I used to love Atlassian products but with your push towards cloud only (and the downtime that it has caused customers) along with these delays in minor fixes it has got me begging for alternatives.
Andrew
This also applies when using Azure AD and OIDC. The limit for OIDC is 200 (rather than 150).
Hello.... Still waiting for your product which is branded as a "Data Center" product to allow more than 150 groups here. Waiting about three years now and your products appear to be the only ones with this issue.
As another potential solution for you to try. Other vendors use Graph to get more groups when you need more than 150 groups. Paessler, for example even has a radio button where you can choose to use the authorization token (150 group limit) or Graph (no limit).....
Really dont understand what is taking this so long...