Uploaded image for project: 'SAML for Atlassian Data Center'
  1. SAML for Atlassian Data Center
  2. SAMLDC-97

JIT does not work with Azure AD SSO for users with more than 150 groups

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: High High
    • None
    • None
    • SSO

      Issue Summary

      When configuring JIT provisioning for Atlassian applications, a 'Group' attribute must be defined so that the group memberships are properly mapped.

      Usually, the "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" attribute is sent by Azure, though if the user has more than 150 groups, "http://schemas.microsoft.com/claims/groups.link" will be sent instead.
      Source: https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-saml-tokens

      Due to this mismatch, JIT won't work as expected for users with more than 150 groups.

      Steps to Reproduce

      1. Configure JIT using "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" as a group attribute
      2. Ensure that there are users with more than 150 groups on Azure AD
      3. Try to log in with any user with more than 150 groups

      Expected Results

      The user will be able to access Jira as expected

      Actual Results

      The user won't be able to access Jira, as a different attribute is sent from Azure (http://schemas.microsoft.com/claims/groups.link)

      This error can be seen in the logs :

      04:15:34,418-0500 http-nio-8080-exec-14 DEBUG anonymous 255x20232x1 XXXXX XXXXXXXX /plugins/servlet/samlconsumer [c.a.p.a.i.web.saml.SamlConsumerServlet] Failed to authenticate: com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.JitException: Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be found
2021-10-22 04:15:34,420-0500 http-nio-8080-exec-14 ERROR anonymous 255x20232x1 XXXXX XXXXXXXX/plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be foundcom.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.JitException: Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be found at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapGroups(SamlUserDataFromIdpMapper.java:64) at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapUser(SamlUserDataFromIdpMapper.java:36) at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:102)

      Workaround

      Consider adding the user ID to an application only group and reconfiguring each user's group claim to application access only (ie. User.Groups[ApplicationGroup]).

            [SAMLDC-97] JIT does not work with Azure AD SSO for users with more than 150 groups

            Conny Postma made changes -
            Remote Link Original: This issue links to "Page (Atlassian Documentation)" [ 821266 ]
            Michal Samujlo made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 981887 ]
            Michal Samujlo made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 948492 ]

            YGG IT added a comment -

            Hello.... Still waiting for your product which is branded as a "Data Center" product to allow more than 150 groups here. Waiting about three years now and your products appear to be the only ones with this issue.

            As another potential solution for you to try. Other vendors use Graph to get more groups when you need more than 150 groups. Paessler, for example even has a radio button where you can choose to use the authorization token (150 group limit) or Graph (no limit).....

            Really dont understand what is taking this so long...

            YGG IT added a comment - Hello.... Still waiting for your product which is branded as a "Data Center" product to allow more than 150 groups here. Waiting about three years now and your products appear to be the only ones with this issue. As another potential solution for you to try. Other vendors use Graph to get more groups when you need more than 150 groups. Paessler, for example even has a radio button where you can choose to use the authorization token (150 group limit) or Graph (no limit)..... Really dont understand what is taking this so long...

            YGG IT added a comment -

            I just wanted to add that it would be nice if there was some movement on this. I mean this has been open since 2021 and this is supposed to be an "enterprise" level product.

            I have now been waiting for a year and the most that has happened as this has been revised to something that looks like it will take longer.

            YGG IT added a comment - I just wanted to add that it would be nice if there was some movement on this. I mean this has been open since 2021 and this is supposed to be an "enterprise" level product. I have now been waiting for a year and the most that has happened as this has been revised to something that looks like it will take longer.
            Pawel Cieszko made changes -
            Status Original: Short Term Backlog [ 12074 ] New: Long Term Backlog [ 12073 ]
            Iker Alonso made changes -
            Remote Link New: This issue links to "Page (Atlassian Documentation)" [ 821266 ]
            Pawel Cieszko made changes -
            Status Original: Gathering Impact [ 12072 ] New: Short Term Backlog [ 12074 ]
            Pawel Cieszko made changes -
            Status Original: Long Term Backlog [ 12073 ] New: Gathering Impact [ 12072 ]
            Viktar Arlou made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 803358 ]

              Unassigned Unassigned
              rrosa@atlassian.com Rodrigo Rosa
              Affected customers:
              10 This affects my team
              Watchers:
              21 Start watching this issue

                Created:
                Updated: