-
Bug
-
Resolution: Unresolved
-
High
-
None
-
None
Issue Summary
When configuring JIT provisioning for Atlassian applications, a 'Group' attribute must be defined so that the group memberships are properly mapped.
Usually, the "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" attribute is sent by Azure, though if the user has more than 150 groups, "http://schemas.microsoft.com/claims/groups.link" will be sent instead.
Source: https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-saml-tokens
Due to this mismatch, JIT won't work as expected for users with more than 150 groups.
Steps to Reproduce
- Configure JIT using "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" as a group attribute
- Ensure that there are users with more than 150 groups on Azure AD
- Try to log in with any user with more than 150 groups
Expected Results
The user will be able to access Jira as expected
Actual Results
The user won't be able to access Jira, as a different attribute is sent from Azure (http://schemas.microsoft.com/claims/groups.link)
This error can be seen in the logs :
04:15:34,418-0500 http-nio-8080-exec-14 DEBUG anonymous 255x20232x1 XXXXX XXXXXXXX /plugins/servlet/samlconsumer [c.a.p.a.i.web.saml.SamlConsumerServlet] Failed to authenticate: com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.JitException: Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be found 2021-10-22 04:15:34,420-0500 http-nio-8080-exec-14 ERROR anonymous 255x20232x1 XXXXX XXXXXXXX/plugins/servlet/samlconsumer [c.a.p.a.i.web.filter.ErrorHandlingFilter] Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be foundcom.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.JitException: Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be found at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapGroups(SamlUserDataFromIdpMapper.java:64) at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapUser(SamlUserDataFromIdpMapper.java:36) at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:102)
Workaround
Consider adding the user ID to an application only group and reconfiguring each user's group claim to application access only (ie. User.Groups[ApplicationGroup]).
- is cloned by
-
KRAK-4448 Failed to load
- is related to
-
PSSRV-59250 You do not have permission to view this issue
- mentioned in
-
Page Failed to load
-
Page Failed to load
-
Page Failed to load
-
Page Loading...
-
-
-
-
-
-
-
-
-
-
-
-
[SAMLDC-97] JIT does not work with Azure AD SSO for users with more than 150 groups
| Remote Link | Original: This issue links to "Page (Atlassian Documentation)" [ 821266 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 981887 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 948492 ] |
| Status | Original: Short Term Backlog [ 12074 ] | New: Long Term Backlog [ 12073 ] |
| Remote Link | New: This issue links to "Page (Atlassian Documentation)" [ 821266 ] |
| Status | Original: Gathering Impact [ 12072 ] | New: Short Term Backlog [ 12074 ] |
| Status | Original: Long Term Backlog [ 12073 ] | New: Gathering Impact [ 12072 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 803358 ] |
| Labels | Original: pse-request short-term-backlog | New: pse-request |
| Status | Original: Short Term Backlog [ 12074 ] | New: Long Term Backlog [ 12073 ] |