Uploaded image for project: 'SAML for Atlassian Data Center'
  1. SAML for Atlassian Data Center
  2. SAMLDC-97

JIT does not work with Azure AD SSO for users with more than 150 groups

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: High High
    • None
    • None
    • SSO

      Issue Summary

      When configuring JIT provisioning for Atlassian applications, a 'Group' attribute must be defined so that the group memberships are properly mapped.

      Usually, the "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" attribute is sent by Azure, though if the user has more than 150 groups, "http://schemas.microsoft.com/claims/groups.link" will be sent instead.
      Source: https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-saml-tokens

      Due to this mismatch, JIT won't work as expected for users with more than 150 groups.

      Steps to Reproduce

      1. Configure JIT using "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" as a group attribute
      2. Ensure that there are users with more than 150 groups on Azure AD
      3. Try to log in with any user with more than 150 groups

      Expected Results

      The user will be able to access Jira as expected

      Actual Results

      The user won't be able to access Jira, as a different attribute is sent from Azure (http://schemas.microsoft.com/claims/groups.link)

      This error can be seen in the logs :

      04:15:34,418-0500 http-nio-8080-exec-14 DEBUG anonymous 255x20232x1 XXXXX XXXXXXXX /plugins/servlet/samlconsumer [c.a.p.a.i.web.saml.SamlConsumerServlet] Failed to authenticate: com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.JitException: Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be found
2021-10-22 04:15:34,420-0500 http-nio-8080-exec-14 ERROR anonymous 255x20232x1 XXXXX XXXXXXXX/plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be foundcom.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.JitException: Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be found at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapGroups(SamlUserDataFromIdpMapper.java:64) at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapUser(SamlUserDataFromIdpMapper.java:36) at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:102)

      Workaround

      Consider adding the user ID to an application only group and reconfiguring each user's group claim to application access only (ie. User.Groups[ApplicationGroup]).

              Unassigned Unassigned
              rrosa@atlassian.com Rodrigo Rosa
              Votes:
              10 Vote for this issue
              Watchers:
              21 Start watching this issue

                Created:
                Updated: